Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Securing the Public & Private Cloud Mikhail Kader

advertisement 
Securing the Public & Private Cloud
Mikhail Kader
mkader@cisco.com
Objectives
Discuss Cloud Computing Service
Delivery & Deployment Models, Specific
to Security
Analyze Current Threats,
Vulnerabilities, Solutions and
Opportunities
© 2010 Cisco Systems, Inc. All rights reserved.
2
The Cloud
© 2010 Cisco Systems, Inc. All rights reserved.
3
The Technical View of Cloud
© 2010
Cisco Systems, Inc. All
rights Cisco
reserved.
Presentation_ID
© 2008
Systems, Inc. All rights reserved.
Cisco Confidential
4
The Consumer’s View of Cloud
...Everything is Cloud
© 2010
Cisco Systems, Inc. All
rights Cisco
reserved.
Presentation_ID
© 2008
Systems, Inc. All rights reserved.
Cisco Confidential
5
Cloud Deployment Model
NIST Deployment Models
Application
(SaaS)
Applications at Scale
(End users)
Platform
as a Service
Execution Platforms at Scale
(Developers)
Infrastructure
as a Service
Enabling
Technology
© 2010
Cisco Systems, Inc. All
rights Cisco
reserved.
Presentation_ID
© 2008
Systems, Inc. All rights reserved.
Infrastructure at Scale
(System Administrators)
Cloud Service Delivery at Scale
(Public / Private Cloud Providers)
Cisco Confidential
6
Cloud Deployment Model
NIST Deployment Models
Public Cloud
Cloud infrastructure made available to
the general public.
Private Cloud
Cloud infrastructure operated solely for
an organization.
Hybrid Cloud
Cloud infrastructure composed of two or
more clouds that interoperate or federate
through technology
Community
Cloud
Cloud infrastructure shared by several
organizations and supporting a specific
community
… and one other
Virtual Private
Cloud
© 2010
Cisco Systems, Inc. All
rights Cisco
reserved.
Presentation_ID
© 2008
Systems, Inc. All rights reserved.
Cloud services that simulate the private
cloud experience in public cloud
infrastructure
Cisco Confidential
7
Enterprise Deployment Models
Distinguishing between Ownership and Control
Internal Resources
External Resources
All cloud
resources
owned by or
Cloud
dedicatedHybrid
to
enterprise
Ownership
Private Cloud
Control
© 2010
Cisco Systems, Inc. All
rights Cisco
reserved.
Presentation_ID
© 2008
Systems, Inc. All rights reserved.
Interoperability
and portability
among Public
Public Cloud
and/or Private
Cloud systems
Cloud definition/
governance
controlled by
enterprise
Cisco Confidential
All cloud
resources owned
by providers;
used by many
customers
Cloud definition/
governance
controlled by
provider
8
Cutting Through the Fluff:
The SPI Cloud Model
Three archetypal models that people talk about
about when they say “Cloud:”
© 2010 Cisco Systems, Inc. All rights reserved.
9
Cloud Model :: Infrastructure as a Service (IaaS)
© 2010 Cisco Systems, Inc. All rights reserved.
10
Cloud Model :: Platform as a Service (PaaS)
© 2010 Cisco Systems, Inc. All rights reserved.
11
Cloud Model :: Software as a Service (SaaS)
© 2010 Cisco Systems, Inc. All rights reserved.
12
Lots Of *aaSes...Variations On a Theme
Storage as a Service
Database as a Service
Information as a Service
Process as a Service
Integration as a Service
Security as a Service
Management as a Service
Testing as a Service...
*David Linthicum: Defining the Cloud Computing Framework http://cloudcomputing.sys-con.com/node/811519
© 2010 Cisco Systems, Inc. All rights reserved.
13
What This Means To Security
Salesforce - SaaS
The lower down the stack the Cloud
provider stops, the more security you
are tactically responsible for
RFP/Contract
It In implementing & managing yourself.
Google AppEngine - PaaS
Amazon EC2 - IaaS
Build It In
© 2010 Cisco Systems, Inc. All rights reserved.
14
Some Things Are Cloud Candidates...
Cloud Ready?
When the processes, applications and data are largely independent
When the points of integration are well defined
When a lower level of security will work just fine
When the core internal enterprise architecture is
healthy
When the Web is the desired platform
When cost is an issue
When the applications are new
© 2010 Cisco Systems, Inc. All rights reserved.
15
...Others Not So Much
Not so Cloud Ready?
When the processes, applications and data are largely coupled
When the points of integration are not well defined
When a high level of security is required
When the core internal enterprise architecture needs work
When the application requires a native interface
When cost is not an issue
When the applications are legacy
© 2010 Cisco Systems, Inc. All rights reserved.
16
...Peeling Back the Covers
 The things that go bump in the night:
Single Tenancy / Multi-tenancy
Isolated Data / Co-mingled Data
Dedicated Security / Socialist Security
On-premise / Off-premise
© 2010 Cisco Systems, Inc. All rights reserved.
17
A Typical Large Enterprise’s Forward-Looking Journey
to the Cloud
© 2010 Cisco Systems, Inc. All rights reserved.
18
Laying Out the Timeline...
Phase 1
Phase 2
Phase 3
Phase 4
Private Cloud
Private Cloud
Open Cloud
Private Cloud
Virtual
Private
Cloud
Hybrid
Cloud
Public Cloud
Public Cloud
Private Cloud
Inter-Cloud
Inter-Cloud
Stand-Alone
Data Centers
Public Cloud #1
Public Cloud #2
~2015-2017
PRESENT
Federation / Workload Portability / Interoperability
© 2010 Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
The Fable of VirtSec & CloudSec
© 2010 Cisco Systems, Inc. All rights reserved.
20
Don’t Worry!
© 2010 Cisco Systems, Inc. All rights reserved.
21
Oh, Wait, Worry...
© 2010 Cisco Systems, Inc. All rights reserved.
22
No, But a Little Perspective...
We’ve rushed to embrace virtualization without solving many of
its attendant security, privacy and management challenges in
environments over which we have direct control of our
information and infrastructure
We’ve brushed past real time infrastructure (RTI) which brings
discipline and the technology needed for robust automation,
autonomics, orchestration, provisioning , re-purposing and
governance
Now we’re hustling to push to “The Cloud,” introducing new
operational and business models, stretching technology and
with a complete lack of standards?
© 2010 Cisco Systems, Inc. All rights reserved.
23
We Are Product Rich, But Solution Poor
What’s true with VirtSec is true with
Cloud, only more so.
Depending upon the type of Cloud, you may
not get feature parity for security.
Your visibility and ability to deploy or have a
compensating control deployed may not be
possible or reasonable.
As it stands now, the abstraction of
Infrastructure is really driving the cyclic shift
from physical network controls to logical/virtual
back into the host/guest
© 2010 Cisco Systems, Inc. All rights reserved.
24
Web3.0/Infrastructure 2.0?/Security 1.3a?
Achtung! Divergent Models
Mainframes
The Cloud
Web2.0
Client/Server
Web1.0
* Credit: Gunnar Peterson
© 2010 Cisco Systems, Inc. All rights reserved.
25
Cloud security today?
By the Cloud (Services)
Many strong
offerings today
Few native virtual
Offerings Today
•ScanSafe
•Ironport Email
•...
In the Cloud (Products)
•vFW
•IDP
•DLP
•Policy
•(id)Entity
•…
For the Cloud (Functions)
Requires “by the cloud”
and “in the cloud”
products
© 2010 Cisco Systems, Inc. All rights reserved.
26
Cloudanatomy : Meet the Triplets
Infostructure
Content & Context Applications, Data/Metadata, Services
Metastructure
Glue & Guts IPAM, IAM, SSL, BGP, DNS, etc.
Infrastructure
Sprockets & Moving Parts Compute, Network, Storage
© 2010 Cisco Systems, Inc. All rights reserved.
27
These Sound Familiar...
Infostructure
Application/WebApp Insecurity,
SQL Injection
Metastructure
BGP, SSL & DNS Hijacking
Infrastructure
Chipset & Virtualization
Compromise
© 2010 Cisco Systems, Inc. All rights reserved.
28
...And So Do These
Let’s Highlight just a few ...
(t)rust
Availability
Confidentiality
& Privacy
Visibility &
Manageability
© 2010 Cisco Systems, Inc. All rights reserved.
Portability &
Interoperability
Reliability &
Resiliency
Audit
Compliance
29
...and What’s Old Is New(s) Again
One Cloud Forward, Two Steps Backward
Access Control
Identity Management
Data Leakage
Application Security
Authentication
Database Security
Encryption
Storage Security
Denial Of Service
Protocol Security by
Politeness
(BGP/DNS/SSL)
Key Management
Vulnerability
Management
© 2010 Cisco Systems, Inc. All rights reserved.
30
Cloud Happiness :: Warm & Fuzzies
The Cloud can provide the following security benefits:
Centralized Data (sort of...)
Segmented data/applications
Better Logging/Accountability
Standardized images for asset deployment
Better Resilience to attack & streamlined incident response
More streamlined Audit and Compliance
Better visibility to process
Faster deployment of applications, services, etc.
© 2010 Cisco Systems, Inc. All rights reserved.
31
Cloud-Specific Stuff Emerging
Organizational & Operational Misalignment
Monoculture of Operating Systems, Virtualized
Components & Platforms
Privacy Of Data/Metadata, Exfiltration and
Leakage
Inability to Deploy Compensating or Detective
Controls
Segmentation & Isolation In Multi-tenant
environments...
© 2010 Cisco Systems, Inc. All rights reserved.
32
New Solutions To Old Problems
The Realities of Today’s CloudSec Solutions Landscape:
Whatever the provider exposes in the SaaS/PaaS/IaaS Stack (not much)
Virtual Security Appliances (VM-based)
Software in the Guest (If Virtualized)
Virtualization-Assist API’s (If Virtualized)
Integrating Appliances & Unified Computing Platforms
(Network-based solutions)
Leveraging Chipset-Integrated Technology
Look for extensions of management and visibility solutions to lead - LOTS of
APIs on the horizon
Look for standardized policy language and enforcement capabilities with
VM’s as the de facto atomic unit of the Cloud
© 2010 Cisco Systems, Inc. All rights reserved.
33
Let’s Revisit Our Examples : Public Clouds
Salesforce - SaaS
Q: How do I take my catalog of
compensating controls/best practices and
apply them/integrate them in each of
these environments?
A: You may not be able to (or need to)
Google AppEngine - PaaS
Amazon EC2 - IaaS
© 2010 Cisco Systems, Inc. All rights reserved.
34
Mapping the Model to the Metal
Cloud Model
Find the Gaps!
Security Control Model
Applications
Information
Management
Network
Trusted Computing
Compute & Storage
Physical
© 2010 Cisco Systems, Inc. All rights reserved.
SDLC, Binary Analysis, Scanners, WebApp
Firewalls, Transactional Sec.
DLP, CMF, Database Activity Monitoring,
Encryption
GRC, IAM, VA/VM, Patch Management,
Configuration Management, Monitoring
NIDS/NIPS, Firewalls, DPI, Anti-DDoS,
QoS, DNSSEC, OAuth
Compliance Model
PCI
Firewalls
Code Review
WAF
Encryption
Unique User IDs
Anti-Virus
Monitoring/IDS/IPS
Patch/Vulnerability Management
Physical Access Control
Two-Factor Authentication...
Hardware & Software RoT & API’s
HIPAA
Host-based Firewalls, HIDS/HIPS,
Integrity & File/log Management, Encryption,
Masking
GLBA
Physical Plant Security, CCTV, Guards
SOX
35
Cloud Security Alliance - Guidance
The Cloud Security Alliance’s 13 Critical Areas Of Focus for Cloud:
1. Architecture & Framework
Governing the Cloud
Operating the Cloud
2. Governance & Risk Mgmt
8. Traditional BCM, DR
3. Legal & Electronic
Discovery
9. Datacenter Operations
5. Compliance & Audit
10. Incident Response
6. Information Lifecycle Mgmt
11. Application Security
7. Portability & Interoperability 12. Encryption & Key Mgmt
13. Identity & Access Mgmt
www.cloudsecurityalliance.org
© 2010 Cisco Systems, Inc. All rights reserved.
36
CloudAudit & the A6 Deliverable
 Provide a common interface
and namespace that allows
cloud computing providers to
automate the Audit, Assertion,
Assessment, and Assurance
(A6) of their environments
 Allow authorized consumers of
services to do likewise via an
open, extensible and secure
interface and methodology.
http://www.cloudaudit.org
© 2010 Cisco Systems, Inc. All rights reserved.
37
Key Takeaways (From A Customer’s Perspective)
We already have most of what you need to make an informed set of decisions:
Cloud Security comes down to the basics...
You have a risk assessment methodology, right? You classify assets and data
and segment already, right?
Interrogate vendors and providers; use the same diligence that
you would for outsourced services today; focus on resilience/recovery,
SLA’s, confidentiality, privacy and segmentation. See how they twitch.
The challenge is to match business/security requirements against the various
*aaS model(s) and perform the gap analysis
Each of the *aaS models provides a delicate balance of openness, flexibility,
control, security and extensibility
Go back & look at the “Right For the Cloud?” criteria
REGARDLESS of the model, you are still responsible for some element of
security
© 2010 Cisco Systems, Inc. All rights reserved.
38
References
Cloud Computing Google Groups:
Cloud Computing
http://groups.google.com/group/cloud-computing
Cloud Computing Interoperability Forum
http://groups.google.com/group/cloudforum
Cloud Storage
http://groups.google.com/group/cloudstorage
•
•
•
Read Craig Balding’s Blog http://www.cloudsecurity.org
Read Christofer Hoff’s Blog: http://www.rationalsurvivability.com
Join the Cloud Security Alliance & CloudAudit...
© 2010 Cisco Systems, Inc. All rights reserved.
39
Related documents
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Download
advertisement