security in the cloud

VISIT 2010 – Fujitsu Forum Europe 1

Cloud Computing – Room 13b

Shapingtomorrowwith you.

Security in the Cloudwith you.

John AlcockManaging Consultant,Fujitsu UK & Ireland

15:00 h15:00 h

VISIT 2010 – Fujitsu Forum Europe

Security in the Cloud

John AlcockManaging ConsultantManaging ConsultantInformation Assurance SolutionsUK & IrelandFujitsu


Fujitsu

4 Copyright 2010 FUJITSU

AgendaWhat do we expect “Security in the Cloud” to look like?Applying this to our organisationsFujitsu’s approach and experienceSummary and DiscussionSummary and Discussion

VISIT 2010 – Fujitsu Forum Europe Copyright 2010 FUJITSU5

What do we expect “Security in the Cloud” to look like?look like?

What is “cloud” and what makes us nervous about using it?


What is “Cloud”?Cloud Computing is a mechanism for the delivery of services. It is service-based, scalable and elastic, shared, metered by use, and uses internet technologies. Source: Gartner

Why are we interested?Consumer perspectiveSupplier perspective

Th iThree scenarios:Using pre-existing Cloud servicesMigrating Enterprise services to the CloudMigrating Enterprise services to the CloudCloud being used as part of the delivery mechanism


Barriers to Cloud adoption

Security and performance issues are at the top of the lists of concerns raised by organisations:

Security and compliance issues 38%Loss of local control 36%Vendor lock-in 30%Vendor lock-in 30%Lack of upgrade control 30%

Source: IDC


What makes security good?

ffEffectiveAppropriateAff d blAffordableEnabling Reass ringReassuringScalable


Applying this to our organisations

What to look forGood governanceGood governanceGood technology


Do security concerns constrain us?Lack of understandingFear of the unknownLoss of control

Business understanding is key


Do security concerns constrain us?Need to be very sure about country of operation

Must ensure legal and regulatory complianceCompliance has to be maintainedCompliance has to be maintainedThreat profile in country needs to be understoodLocation of dataLocation of support and management services

Who gets into the cloud?Our usersSupport staffOther customersOther customersAnyone else?

What happens when something goes wrong?What happens when something goes wrong?

How does it work?


How does it work?

Copyright 2010 FUJITSU12

Policies, people, processes and placesEvidence of good physical and procedural security measuresCompliance with legal and regulatory requirementsGood personnel security management – staff security clearance and aftercareOpen attitude to audit and inspectionsTransparency in operations so that you know where your data p y p y yis and the locations from which support is providedTechnical tools to manage - from a single dashboard - the g gsecurity and compliance settings across a virtual infrastructure


Architecture and DesignNetwork TopologyData Storage and OperationInput and Output End Points in SystemTrust BoundariesTrust BoundariesAccess ControlsSystem and Network IsolationSystem and Network IsolationCryptographic ControlsAd i i t ti C t l f S i P idAdministrative Controls for Service ProviderAdministrative Controls for Business Owner


The virtual worldAssess the logical network, applications, and services hosted in the Cloud.


Fujitsu’s approach and experienceFujitsu s approach and experience

The way we build our services


Fujitsu ApproachRange of security levels

On premises private infrastructure in data centre shared community infrastructure public infrastructureinfrastructure public infrastructureDifferent levels of assurance

Precision in infrastructure designPrecision in infrastructure designCare in process implementationSubject to external reviewSubject to external review


Where are we now?Security measures that are commensurate with the riskNo longer single levelCloud requires and enables a more profiled approach to security

What can and cannot live in the cloud?Would you trust putting anything into the cloud?What would you take from the cloud?What would you take from the cloud?What constrains us?


The areas Fujitsu focuses onService and Management – how the service operations function to deliver an overall approach to governance, risk and compliance incident management and the provision ofand compliance, incident management and the provision of audit services).Network the configuration of the network services toNetwork – the configuration of the network services to deliver separation and isolation of clients’ connections from their location to the service payloads in the data centre.their location to the service payloads in the data centre.Compute – the arrangements to provide isolation between customer capsules and management blocks.customer capsules and management blocks.Storage –the methods and approaches for segregating and protecting the storage assetsp g gPhysical – a rigorous approach to the physical security aspects of the service.

VISIT 2010 – Fujitsu Forum Europe Copyright 2010 FUJITSU

p

19

Security Defence in Depth in the Cloud

VISIT 2010 – Fujitsu Forum Europe 20 Copyright 2010 FUJITSU

Summary and DiscussionSummary and Discussion


Summary1. Identify, understand and manage security risks2. Take and push services in accordance with your

organisation’s risk appetite3. Satisfy yourself that you understand enough about the

services4. Make sure you will meet regulatory, legal and compliance

requirements5. Understand the architecture and design6. Focus how the service operations function7. Manage the use of the serviceg


Discussion


security in the cloud

Technology