The Trusted Front Door to the Cloud

Transcription

1 The Trusted Front Door to the Cloud Jeff Burstein Director, Product Management, User Authentication 1 The Great Commoditization of IT has Begun Economic Drivers Pay as you go (or else) CAPEX to OPEX Simplification Simpler deployment On demand scaling Disruptive Technology Virtualization Ubiquitous it network connectivity Sources: VeriSign, Computerworld 2

2 But Security Remains a Significant Concern Rogue Administrator Weak passwords Data Leakage & IP theft Melted perimeters Drive-By Malware Zeus Man-in-the-Middle Middl Multi-Tenancy & Data Mingling Identity Theft Collapse of Roles Key-Loggers SQL Injection DDOS Attacks Major security issues are cloud specific, requiring cloud specific solutions 3 Cloud Oriented Security Still Missing Security from the cloud: A/V, , Web, Auth Securitywithin thecloud: honey pots, FS/IT ISAC ISAC Security for the cloud:??? Sources: VeriSign, Computerworld 4

3 Security Needs to Rapidly Evolve STRONG AUTH DLP FEDERATION ENCRYPTION IRM IDENTITY INFORMATION Less Network & Device Centric, Increasingly Identity & Information-Centric. 5 Why is that? 6

4 The End of I.T. As We Knew It Central IT managed Datacenters Well defined perimeters Devices Application / Services Back end Infrastructure Ownership IT owns the desktop, the application, the network, the storage, the whole infrastructure Control G.R.C. policy spawning all the layers relatively easy in such centralized environment Enterprise App Datacenter Centralized and Tightly Controlled 7 The New World of IT: Distributed & Loosely Controlled Loss of control??? Device Consumerization i Applications become SAAS Infrastructure moves to the cloud Information everywhere: in the cloud and in unmanaged devices New IT Controls Left? Identity & Information Security 8

5 TRUST is Actually the Larger Issue Security Privacy Policy Reputation Audits Reliability Compliance Assurance Sources: VeriSign, Computerworld 9 The Cloud Needs a Trust Framework Trust Framework = New Trust Infrastructure + Policy 10

6 Easier Said than Done Where do we start? 11 Start with Identity: It is the Lynchpin ecommerce Cloud Certificate Authority New Infrastructure Trusted Front Door New Policy The Need: ID Infrastructure + Trust Policy 12

7 New Infrastructure: Identity Broker Federation Broker Enable one single identity across all cloud services (corporate ID) One Corporate Identity (Federation Broker) Integration Policy Mgt. Enforcement Provisioning broker Integrates provisioning across all clouds Authentication Broker Unifies authentication across all clouds Authorization Broker Enforces access policy across all clouds 13 Example: Single Cloud Identity & Password Policy Julie Employee Trusted Identity Source Layer Corp AD, LDAP Unified Sign-In (LDAP, OID, SAML) GMAIL, SF.COM & high availability trusted IDPs Authorization Layer Access Broker Layer Access UX (dash, links) Cloud Access Policy Engine Forward Reverse esso HTTP Proxy Proxy Client Redirects Authorization Broker (SAML, HTTP-POST, OAUTH) 14

8 What About. Our rogue administrator? i 15 Trust Through Information Protection DLP ENCRYPTION Back door information security required Need info sec technology (DLP, encryption) at cloud provider Solves both the rogue admin and local jurisdiction of data challenges Yes, but where should we store the keys? Keysbetter managedoutside cloud provider Identity broker eventually becomes key management broker (id >key) 16

9 Example: Cloud Information Rights Mgt. Strawman Julie Employee 1 12 File with Julie File with Employee PCI info PCI info DLP Agent Key for ID Scan, classify, encrypt based on local policy and remote user key Authenticates & authorizes Identity & Key Broker Authenticates & authorizes BOX.NET File with PCI info File with PCI info DLP ENCRYPT DECRYPT Scan, classify Encrypt based on local policy using identity-based key Decrypt using identity-based key May ask broker for device, and location context before releasing 17 Trust Through Certification Certified Cloud PCI for the Cloud Information protection controls At rest (DB/FS encryption & key mgt) Cloud In transit (DLP, SSL) Privileged access security Strong Authentication Vulnerability Network, system, application level security holes Audit 18

10 Trust Through Transparency (Auditing & Monitoring) Julie Employee SIEM for the Cloud is needed Many deployment alternatives SIEM in the cloud for the cloud (front door) interesting Hard to scale: Highly distributed open source FS & databases likely relevant SIEM for the Cloud + Visibility: security events log & aggregation Many deployment + Intelligence: event indexing, search & correlation) + Cloud compliance Reports + Cloud Incident investigation & forensics 19 Eventually, In Cloud We Trust Identity Broker Information Protection Broker (Key Mgt.) SIEM for the Cloud FRONT DOOR Trust the identity (ID BROKER) Trust the information (Key Mgt. BROKER) Trust but verify (SIEM) BACK-DOOR Trust the provider controls through certification PCI for the Cloud New Trust Infrastructure & Certification for the Cloud 20

11 Conclusion: From Love to Trust TRUST IS KEY Is the largest obstacle to cloud adoption. We need a trust framework (trust infrastructure and policy). TRUST BROKERS TO EMERGE Trust brokers and certifications frameworks will emerge like they did for ecommerce 15 years ago. NEW TRUST LAYER FOR THE CLOUD The new cloud middleware is about trust and security. It becomes critical infrastructure 21 Thank you! Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document tis provided d for informational purposes only and is not intended d as advertising. i All warranties relating lti to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 22