Cloud Computing

A key enabler of cloud contracting and use -- all the way from comparison shipping and RfPs, through SLAs and monitoring, to auditing and regulatory enforcement -- is the availability of common vocabularies and operations for different service components. Open standards are required to make services comparable, portable and interoperable across vendors and architectures. As more organizations consider the shift toward cloud services, industry is working hard to offer new approaches to meet these challenges. During this session, experts will provide progress reports on some of the work underway that is addressing these needs.

• SMI defines service attributes in seven major functional categories (accountability, agility, assurance, financial, performance, security and privacy, and usability) that provide key performance indicators that can be collected and tailored by consumers to evaluate competing services based on business and technology requirements. The speaker for this portion will provide an overview of the SMI and its relationship to cloud auditing, and discuss how cloud marketplaces can leverage the SMI to enable greater cloud choice through evidence-based decisions.
• Many SDOs have been collecting real world cloud use cases addressing many of the concerns felt by industry. These use cases are being peered reviewed, with the hopes that these committees will identify gaps in standards and pave a way to move forward with future standardization efforts. An expert technical speaker will be on-hand to discuss the progress of SDO work in this area.
• And finally, this session will cover ongoing work within the EU cloud strategy, ENISA’s cloud SLA work, and the dependencies of critical services on cloud. This speaker will also focus on auditing schemes and ongoing work in CAMM (an assurance framework for cloud providers) and the minimum security measures for EU Telco’s, which entails another audit scheme.

Auditing in the cloud environment, particularly for identity management systems, touches on a range of interconnected, international issues: data governance, competing legal and regulatory environments, standards and interoperability, and a host of specific policy issues that are increasingly problematic, such as data privacy. The October 2011 International Cloud Symposium organized by OASIS in London, identified many of these issues, and in this panel expert speakers examine them from a global perspective and offer international perspectives on challenges and solutions.

Information Security in the Cloud - that's in fact moving towards a location-independent and provider-independent approach for information security. In the days of on-premise only IT (plus maybe an outsourcer), the focus could be on securing the network and the device. In these days where IT services are a mix of on-premise, private and public cloud services - i.e. in days where things become hybrid - we can't rely on network or system security. We don't really know where our data remains and where services are run. The cloud sprawl, with chains of providers like your SaaS provider relying for example on Amazon Web Services, leads to a situation where we have to re-think the approach in Information Security.

The most important cornerstone is to move from system, network, device security towards information-centric security, which we might name "real Information Security". Another one is understanding Information Security as an initiative which isn't focused on technologies first of all, but on understanding risks, contracts and other aspects. Another important cornerstone is, without any doubt, the identity. We have to deal with more identities and with persons using different identities. Identity and Access Management is a key element in Information Security in, for, and with the Cloud.

There are many other aspects. In this session, we will provide our view on the future of Information Security - an approach that works seamless for the hybrid world of today and tomorrow, from classical on-premise IT to the public Clouds.

Identity management across multiple SaaS (software-as-a-Service) applications as well as on-premise systems is a challenge to most enterprises. Challenges in Identity Management in the cloud, simply goes beyond how we do authentication, authorization and auditing right. Cross domain authentication, provisioning, interoperability, multi-tenancy, delegation and security are few challenges to name. The best way to preserve interoperability is to adhere to open standards. Lots of proprietary standards came a long way, but at the time they felt a larger audience is needed and interactions with other systems, those became open standards. SAML2 Web SSO, OpenID, OAuth are some popular open standards, widely used across many cloud providers for authenticating users while facilitating identity portability. WS-Trust, WS-Federation used to cater the same aspect while dealing with systems. XACML is another open standard, which is considered to be the de-facto standard for authorization. It facilitates fine-grained authorization in a policy driven manner. Provisioning is also an important aspect in a cloud identity management system. SPML failed to be the de-facto standard for provisioning due to its heavyweight nature and being bias to SOAP. The latest emerging standard for provisioning is SCIM, which is still in progress at the specification level, but looks promising.

A short introduction into the concepts of the Simple Cloud Identity Management (SCIM) Standard and why we may need it.

SCIM (Simple Cloud Identity Management) is one of the most popular standards in IAM these days. I shall replace SPML (Simple Provisioning Markup Language), building on a REST-based API. However the question remains whether it is more about porting the type of API or really a breakthrough for provisioning to the cloud. And the question remains whether it really will become adopted as a mainstream approach. Besides this, any good standard supports all of IT, not only the cloud. So what does SCIM provide for the on-premise IT?

Years ago, when the cloud became popular, KuppingerCole published a Cloud Roadmap with a simple target: One IT, not a separation of Cloud IT and On-Premise IT. However, there are still many offerings which are cloud-only, even while it is obvious that the reality for most organizations will remain hybrid. That’s true for many areas of IT, including IAM. There are also offerings for that. But is there really a value in solutions which only support the cloud? When do you need them, if at all? Which integration should cloud-based IAM solutions provide? And how might your future look like, if you focus on the One IT/One IAM approach but still have to rely on cloud-based solutions for example for an easier integration of external users like your customers and for using different types of Saas? That’s what you’ll learn in that session.

As the software-as-a-service (SaaS) market explodes, more and more organizations struggle to gain control over their user’s identities in the cloud. Some are also exploring outsourcing their identity and access management (IAM) functions to the cloud.

There are three architectural models for implementing cloud identity services:

• In the cloud – identity and access management as an on-demand service
• To the cloud – IAM from an on-premise platform
• Hybrid – a model that includes elements of both on-demand and on-premise solutions.

In this session, we will discuss the key architectural, platform, integration, security, scalability and reliability issues which organizations seeking to adopt cloud-based identity need to consider, including the increasingly significant role that Cloud Identity Broker/Cloud Security Broker technology is playing. The discussion will also assess current and evolving technology and industry standards available for managing SaaS account provisioning/de-provisioning, single sign-on, strong authentication, and other identity operations.

Objective:

When you finish this session, you will have a framework for analyzing the state of today’s technology options and selecting the most appropriate architectural platform to meet your businesses identity requirements in the cloud.

• Trust Assumptions and Trustworthiness Assurance
• Secure management of cloud components
• Identity management requirements for both, critical infrastructure and privacy protection
• Integrated Identitity management for administration personnel, maintenance personnel, hardware and autonomous systems, and software components.

The presentation will introduce the Open Data Center Alliance and present the goals of the organization and the work of the Security Work Group.

Specifically, the two previously released Security Workgroup Usage cases, Security Provider Assurance and Security Monitoring, together with four soon to be released usage cases covering Identity Management will be presented.

Finally, there will be an opportunity to put your questions and to influence the future direction of the Security Workgroup of the ODCA.

Convergence and ubiquity are the key characteristics of tomorrow’s service provision infrastructures. Cloud architectures will constitute cost-efficient backbones that will support the transmission, storage, and computing of the applications contents. These architectures can be used for business, scientific, and pervasive computing purposes. The diversity of the services delivered through cloud infrastructures increases their vulnerability to security incidents and attacks. The cost and complexity reduction requirements render the design and development of protection mechanisms even more challenging. In addition, key design features such as confidentiality, privacy, authentication, anonymity, survivability, dependability, and fault-tolerance are, in some extent, conflicting. The objective of this keynote is to present the state-of-the-art and explore research directions and technology trends to address the protection of cloud communications and networking infrastructures.

The fundamental concepts of cloud computer security will be explored, including cloud security services, cloud security principles, cloud security requirements, and testing techniques. The attendees of this session will learn how to:

• Identify security management challenges and opportunities in cloud environments
• Examine cloud computing risk, threats, and vulnerabilities
• Specify, validate, and implement preventive and reactive security policies for in a virtual environment
• Develop business continuity and disaster recovery plans for cloud computing
• Conduct security investigation missions to analyze attacks against cloud computing

Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers However - many organizations are sleepwalking into the Cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource responsibility. This session will look at the issues that may be forgotten or ignored when adopting the cloud computing.

These include:

• Ensuring legal and regulatory compliance
• Assuring data security
• Ensuring business continuity
• Avoiding lock in

You will learn about a set of new capabilities under development for cloud identity platform. Aimed at governments and enterprises, this work, from Microsoft and the University of Kent, brings together advanced privacy features based on either the UProve or existing technologies, support for Trust Frameworks that simplify agreements between identity partners, support for delegation of authority to delegates whose identities are private, and a dramatically simplified programming environment for application developers and relying parties.

In this Session a proof of concept for a IAM service from the cloud (IAMaaS) will be outlined. The proof of concept takes place in the field of eGovernment. The IAM service delivers trusted information about a user to a service provider. These informations are highly secure stored in the cloud. The service provider will be able to grant access to the user according this information.
How can data security be ensured? How do users keep data sovereignty? How do service providers know who to interpret the information to grant correct access to users? These and more questions will be discussed by describing the concept, use cases and layout of the IAM service as well as first results of the proof of concept.

Learn how the Dutch ICT company KPN developed a cloud service broker solution that reforms enterprise cloud integrations. The KPN cloud service broker aggregates services to multiple cloud providers and simplifies consumption of identity federation, authentication and data integration services for the enterprise. As a result, enterprises with high requirements can now efficiently integrate cloud services in complex scenarios.

The recent surplus of security compromises is evidence of major encryption management failure across the IT landscape. Recent research has highlighted some alarming facts; companies have little idea how many of these security assets they have in their inventories, where they are deployed, who has access to them, or how they are managed. With little understanding of best management practices, enterprises are likely to experience significant security, operational, and audit risks. Drawing on many years of work and research in Global 2000 organizations in financial services, retail, manufacturing, telecom and other industries, this session explores the challenge of scaling and managing encryption assets. The session will address how the role of IT security has moved from merely a technological challenge to being a fundamental part of the business. It is essential that organizations apply field-tested, in-production methodologies and best practices for effective key and certificate management.

Enterprises have amassed regulated and valuable data that flows within and beyond their networks, all of which must be protected. As a result, thousands of encryption keys and certificates have been deployed across their global infrastructures and in the cloud—to secure the data and authenticate systems. How are these critical security assets being managed? Organizations that fail to properly manage these assets subject themselves to security vulnerabilities, non-compliance and unplanned outages, all with increasing frequency and cost. Attend the session to learn more.