The emergence of the Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) models are just two of many inflection points as IT migrates away from the traditional data centers and into the cloud, shifting more control over security from the enterprise to the service provider. How will your security and compliance strategy change when this transformation is complete? This presentation will explore technologies and strategies you need to adopt today to prepare to support security and compliance in the cloud age.

1. Predicting the Future: Security and Compliance in the Cloud Age

2. Introduction Misha Govshteyn – CTO, Alert Logic Work in security and web-scale architecture; operate high performance LAMP environment and Erlang-based compute grid Help hosting/cloud service providers deliver security services Secure Cloud Review blog -> http://www.securecloudreview.com/ What we do at Alert Logic

3. About this session Objective:Help you make security & compliance decisions that prepare your company for the future This presentation addresses a broad trend of consuming IT as a service Cloud in this context includes IaaS PaaS SaaS Why take such a broad view? Because each of these models has potential to significantly alter the way you protect your most critical assets

4. Putting 2010 questions in perspective Questions of today are less important than this fact : IT is increasingly delivered as a service Your IT footprint is already changing… probably adopting some form of cloud services network is already becoming decentralized Some of your data may already be off-premise IaaS? PaaS? SaaS? Private vs Public? IT vs Cloud?

5. Formulating a Security Strategy

6. Your Enterprise in 2015 platform ISV virtualdesktop saas     burst private HR CRM Finance POS web storefront Cloud Enabled Functions Enterprise Software Enterprise Platforms

7. Cloud questions today and tomorrow

8. Your enterprise 5 years from now Perimeter is less important than ever More than 50% of your critical data is offsite Some in environments you do not control Some users don’t need your VPN to do their jobs Securing the enterprise will be characterized by Continuous transfer of security responsibility to service providers of all types Application/protocol level attacks Even more compliance requirements than today

11. Network firewalls will fade in importance as perimeter disappears

12. Network security functions subsumed by service providers

13. Increasingly offered as a service

14. Become embedded in CSP and NSP network fabric

15. New security focus:

16. Applications

17. Protocols

19. CSP vs Customer responsibility Customer /Managed Service Cloud Service Provider

21. Auditing of key controls

22. Activity reporting

23. Log availabilityEmerging standard: CloudAudit/A6

24. X-Factor: the Auditors Passing a compliance audit in the cloud in next 5 years will require equal parts luck and planning Improving your chances Distant future: find an auditor that understands and has experience in cloud environments Today: help your auditor understand your environment API? CSA? XML? A6? Hadoop? EC2? VPC? XEN?

25. First steps Engage with your IT security and auditors Build a roadmap for dealing with the dissolving perimeter and set realistic goals for your team Understand how Security SaaS fits into your current and future strategy Explore technologies/efforts important to secure cloud adoption: IDM, OWASP, WAF, CSA, A6 Choose cloud environments that understand and plan to address your evolving security needs

26. Alert Logic http://www.alertlogic.com/ Secure Cloud Review Blog http://www.securecloudreview.com/ Email: misha@alertlogic.com Twitter: @CToMG