Title: Trust: A Cloudy Concept Infrastructure Security in The Cloud
1Trust A Cloudy ConceptInfrastructure Security
in The Cloud
- Kartik Shahani
- Country Manager - India SAARC
- RSA, The Security Division of EMC
2Agenda
- Stages in the Journey to the Cloud
- Security Concerns
- Trust and Risks
- Challenges
- RSA Position to Secure Could Infrastructure
- Case Scenario
- Summary
3Cloud Computing
Delivering on-demand access to shared pools of
data, applications, and hardware Efficient
Flexible Convenient Cost-effective
PrivateCloud
Virtualized Data Center
Internal cloud
External cloud
4Stages in the Journey to the Cloud
551
Security is the greatest concern surrounding
cloud computing adoption.
- Gain visibility
- Maintain control
- Prove compliance
6Trusted Zones for the Cloud
Attackers
Information
Information
Virtual Infrastructure
Virtual Infrastructure
Identity
Identity
Physical Infrastructure
Cloud Provider
Tenant 1
Tenant 2
7Trusted Zones Key Capabilities
Isolate infrastructure from Malware, Trojans and
cybercriminals
Anti-malware
Federate identities with public clouds
Identity federation
Cybercrime intelligence
Strong authentication
Tenant 2
Virtual Infrastructure
Isolate information among tenants
Control and isolateVM
Virtual infrastructure security
Data loss prevention
Tenant 1
Virtual Infrastructure
Isolate information from cloud providers
employees
Segregate and control user access
Encryption key mgmt
Access Mgmt
Tokenization
Physical Infrastructure
Governance, Risk, and Compliance
Security Info. Event Mgmt
Enable end to end view of security events and
compliance across infrastructures
8Security Concerns
- Today, cloud environments mainly host
non-sensitive data due to security concerns. - If cloud computing is going to meet enterprise
needs for confidentiality of customer data and
compliance with legal directives, it will have to
provide increased levels of security to support
more sensitive enterprise applications.
9The Risk of Cloud Computing
- When organizations move their data into the
public cloud, new stake holders are introduced in
the form of third party service providers,
vendors, and contractors - This loosens the controls IT has on data security
10Challenges of Cloud Computing
- Control Organizations will face reduced control
of their data as more responsibility will shift
to third parties. - Regulation Regulations govern the way data must
be protected in many industries, meaning the
cloud must have proper controls - Interoperability Todays clouds must be able to
communicate with each other and offer data
portability
- Convenience Those using the cloud want both
convenient access and secure data protection,
creating a difficult balancing act. - Reporting To meet many of todays regulations,
the ability to report where data is and how it is
protected will be essential. - Data Transfer Business must find a way to
transfer data into the cloud in a way that is
both safe and cost effective.
11RSA Protection in Action
1 Billion Applications shipped with BSAFE
Encryption
25 Year legacy in information security
200 Million Identities protected
34,000 Organizations protected
120,000 Phishing attacks shut down
Embedded in Microsoft, HP, Sun and IBM operating
systems, Internet Explorer and Netscape
browsers, Ericsson, Nokia, Motorola phones,
major US government agencies and the list goes on
12Virtualization Enables More Effective Security
by Pushing Enforcement Down the Stack
Today most security is enforced by the OS and
application stack making it ineffective,
inconsistent and complex
- Pushing information security enforcement in the
virtualization and cloud infrastructure ensures
consistency, simplifies security management and
enables customers to surpass the levels of
security possible in todays physical
infrastructures
Physical infrastructure
13VMware vShield Zones and RSA DLP Building a
Content-Aware Trusted Zone
Virtual Infrastructure
- Overview
- VMware vShield Zones provides isolation between
groups of VMs in the virtual infrastructure - Leverages the capabilities of vShield Zones to
deploy DLP as a virtual application monitoring
data traversing virtual networks - Uses a centrally managed policies and enforcement
controls to prevent data loss in the virtual
datacenter - Customer Benefits
- Pervasive protection
- Persistent protection
- Improved scalability
VMware vShield zones
DLP
DLP
DLP
DLP
VMware VSphere
Physical Infrastructure
14Cloud Infrastructure The Next Frontier of Cloud
Security and Compliance
15Problem Statement of Tenant
- When using the cloud, a tenant is not in
physical control of their infrastructure. How do
they - Gain visibility into the Clouds IaaS?
- Assess the actual security posture of the IaaS?
- Trust those measurements of security?
- Prove to auditors that the infrastructure they
are running on is compliant?
16Cloud Compliance Use Case
- A tenant wants to run a business critical
application in the cloud - Their requirements
- Follow best security practices VMware hardening
guidelines - Pass a PCI audit (they hold credit card data)
- Be assured that they are booting from a secure
root of trust (protection from inserted root kit
and blue pill attacks)
17RSA, VMware, and Intels Vision for Trusted
Cloud Computing Infrastructure
- Advanced development proof of concept
- Framework for measured, trusted cloud computing
environment - Bottoms up automated security assessment
- Leverages technologies from EMC (RSA and Archer),
VMware and Intel - Allows Cloud Service Provider to report on
configuration of virtual infrastructure used by
customer VMs - Ties to a verifiable measurement of trust in the
hardware and hypervisor
18Cloud Compliance Architecture
19Archer GRC Platform and Dashboard
20Benefits
- Tenants
- Fast, accurate and efficient auditing and
compliance process - Granular view of cloud providers performance
against SLAs - Customized, flexible provisioning of trusted
computing services - Finer grained policy control
- Service Providers
- Differentiated service offerings
- Fast, accurate and efficient customer compliance
audits - Automated, scalable process for on-board audits
21RSA Capabilities
- Understand risks
- RSA Virtual Security Assessment Service
- Secure virtual environments
- SecurID
- Integration with vSphere administrator access
- Integration with VMware view user desktop access
- Authentication Manager 6.1 and 7.1 supported when
run as virtual applications on VMware - RSA Key Manager
- Encryption client will integrate with
applications virtualized by VMware - enVision Event Manager
- Supports vSphere as an event source
- EMC Proven Solution for Secure Exchange
- RSA SecurID, DLP and enVision used to secure a
virtualized Exchange infrastructure - Leverage virtual infrastructure increase
security - Data Loss Prevention
- Integration with DLP and VMware vShield Zones
- Enable secure cloud computing
- RSA Access Manager RSA Key Manager to secure
access and data in the cloud - Adaptive Authentication available as a cloud
security service
22Next Steps in Shared Vision
- Solutions offerings
- Work with service providers to embed in cloud
platforms - IaaS, PaaS, SaaS
- Cloud platforms
- Embedding security in the virtualized
infrastructure - GRC automated IT control assessments
- VCE / vBlock Network, storage
- Federation, cyber-intelligence, access
management, encryption - Patch, vulnerability, configuration management
23For Terremark, demonstrating compliance on
shared, virtualized platforms has been a manual,
complex, and labor-intensive set of activities.
As a VMware Vcloud partner, when we can easily
prove compliance, security and control on
multi-tenant, virtualized infrastructure, it will
be incredibly compelling to our customers and our
own business. Chris Day, Chief
Security Architect, Terremark Worldwide
24Thank you!
25Guidance for Ensuring Security In the Cloud
P
Harden all hypervisors Set clear policies for
co-residency and be equipped to enforce
them Evaluate whether cloud vendors can deliver
on their promise Assess cloud providers methods
to attesting to infrastructure security Look for
automated dashboard services for monitoring and
compliance
P
P
P
P
26Cloud Security Essentials Identity Security
- Technical Questions Who Are My Neighbors?
- Are there controls in terms of who else is using
this cloud infrastructure? - Will my data be segregated so that others cannot
access it? - Is there strong identity management both for
customers and for employees?
- Support of identity management tools for both
users and infrastructure components - Strong authentication that goes beyond a simple
username and password - Granular authorization such as role-based
controls and IRM
Process/Policy Questions Is there good discipline
over separation of data, processes and
infrastructure?
27Cloud Essentials Information Security
- Technical Questions Information Sensitivity
- What information will be going to the cloud?
- Are there privacy or confidentiality issues?
- Are there different levels of protection
available for sensitive data? - Information Mobility
- Where physically will the information be? Are
there legal/sovereignty issues? - Can I be sure I get it all back and all copies
are permanently deleted if I stop using the
cloud vendor or infrastructure?
- Policy-based content protection
- Granular data security and enforcement
- Effective data classification
- Information rights management
- Data isolation
- Resource lifecycle management
-
Process/Policy Questions Will the cloud vendor
outsource any of its functions? Can I control
that?
28Cloud Essentials Infrastructure Security
-
- Appropriate controls, log collection, and
reporting to assure compliance with regulations - Inherent component-level security
- Granular interface security at data hand off
points
- Technical questions Transparency,
Accountability, Trust - Can I meet audit and compliance requirements for
the information or business process? - Can I gain visibility into whether security
controls, and other best practices, are being
deployed?
Process/Policy Questions Can I get insight into
hiring and training practices regarding privacy
and security? Can I trust the cloud service
provider?
29RSA Positioning
- RSAs Position
- With the right approach, organization can extend
virtual technologies into environments with
sensitive data and ultimately increase security - RSAs Approach
- An information-centric, risk-based approach
security designed to help organizations - Understand risks
- Secure virtual environments virtualize security
controls - Leverage virtual infrastructure
- Enable secure cloud computing
- The Customer Benefit
- Accelerate the proliferation of virtualization
and increase security