Secure Cloud Computing

Transcription

1 Secure Cloud Computing

2 Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for Securing Cloud Infrastructure & Services Approach & Methodology for Securing Cloud Infrastructure & Services Government laws regarding data security and controls Q&A

3 Advanced Targeted Attack Life Cycle Criminal Theft Espionage Sabotage After the Fact Expensive Public Uncertainty COMPROMISE CONTAINMENT ATTACK DISCOVERY High Value Data Key Systems Exploit Weakness Stealthy Replacement Process Preparation Sadder but Wiser 2

4 Security-Related TCO Is Skyrocketing Multiple products operate in separate functional silos Constantly rising costs of operational security No efficiency, no effectiveness Stale defenses lack adaptive, contextaware capabilities Increasingly complex to manage 4

5 Recent Notable Advanced Targeted Attacks Targeted attacks against Point-of-Sale (POS) systems Memory parsing/scraping malware Extracts full magnetic stripe data out of memory Not detected by traditional A/V Not detected for a significant amount of time Substantial damage million credit cards where ex-filtrated in the TARGET compromise Containment took long (VISA) 5

6 Evolution of Cloud Computing

7 Evolution of the Datacenter Discrete Datacenter Compute Management Storage Network Consolidation Discrete Networks Traditional Security - Policies tied to physical attributes Virtualized Datacenter Servers Unified Network VM VM VM VM Mgmt Storage Arrays Flexible Management 10G Unified Network Virtualized Security - Context aware policies Cloud Datacenter Cloud Infrastructure Security Network Storage Compute Datacenter Facilities (e.g. cooling, power) Efficient and Secure Open Architecture Simplified Network Federated Security - Security delivered as a set of services

8 Cloud Enabler-Virtualization Virtualization = New platform for greater flexibility Flexibility & Scalability Rapid deployment of Servers & Desktops based on standard built Heterogeneous OS & Application environment running on one single HW Virtualization changes the definition of an endpoint Virtualized systems are no longer systems, they become data Virtual images built on the fly re-define the notion of an asset

9 The Business Need for a New Model Reduce Costs, Improve Agility 5 weeks Workload Some minutes = Differentiated storage Differentiated networks Differentiated isolation Differentiated security Other 3 rd party services Few Days 9

10 Reduce Costs, Improve Agility for all Datacenter Security and Services Differentiated storage Differentiated networks Minutes VDC Differentiated isolation Differentiated security Few Days Other 3 rd party services Datacenter Security Consolidated Workload-centric Policy-driven Extensible

11 Virtual Datacenter Cloud Infrastructure Datacenter spans physical, virtual and cloud deployments SaaS Applications Manage Dashboard PaaS Workloads Data Policies Workflows Compliance Infrastructure IaaS Compute Storage Network Essential Characteristics Broad Access, Rapid Elasticity, On Demand Self Service, Resource Pooling

12 Overall Objective of Cloud Security: Transparency Secure cloud infrastructure- Physical & Virtual Delivering Secure Cloud Services Providers should implement current & future cloud Standards & Certifications Automation of auditing & security 12 Transparency Confidence

13 Cloud Security Challenges/Concerns Data and Identity Centric Controls in Cloud are hard Dynamic perimeter based on data access and service requirements vs. logical network separation How do provision (and de-provision) identify + authorization across a network of providers Data Leakage threats from Cloud Infrastructure Database Compromises from Cloud Infrastructure High Availability and Performance requirements Virtual infrastructure makes traditional security solutions difficult on both network Content security Lack of Visibility in Inter-VM traffic Advanced Persistent Threats (e.g. Stuxnet, Operation Aurora, Operation Shady RAT etc.) Security controls need to understand the legacy and next generation message exchange protocols Anti-malware protection across large volumes of data must be optimized Protect access to critical data resources from multiple threat vectors to include insiders

14 Cloud Security Requirements Dynamic Risk Assessment Enterprise framework that support Machine to Machine data collection for continuous monitoring Comprehensive assessment for vulnerability, behavior, configuration and impact Real-time discovery capability for assets, applications and data Threat-Based Defense Defend the key attack vectors and priority targets based on intelligence Automated assessments with countermeasure awareness No impact to availability or performance of critical systems Handling APT Attacks Monitoring across several domains Integration of IT risk data or events with cyber physical data for impact decisions & higher level decision support systems Handling Big Security Data

15 Strategy for Secure Cloud Infrastructure & Services

16 Cloud Security Approach/Methodology Secure the Physical and Virtual Datacenter Architecture Defend the whole of the datacenter from infrastructure to application and across all threat vectors Enable comprehensive readiness assessment for web applications, databases and systems Provide continuous monitoring, rapid data retrieval and analysis for incident response Application access through API Calls Secure the Cloud Provider Protect data and identity services in the provider datacenter Secure Software-as-a-Service providers with Cloud Security Platform Enable Secure Use of Cloud Services Understand messaging protocols to ease integration of legacy systems and provide data loss protection Identity management provided by Cloud Based Identity Management solution

17 Securing Cloud Based Data Centers

18 Cloud Security Components for VDC Security Monitoring and Management Datacenter Asset Inventory with Security Overlay Risk Based Event/Log Correlation Local Threat Intelligence Server Security Memory Protection Application Whitelisting Change Control Hardware Assisted Security Virtualized Platform Hypervisor Security Resource Optimization through Offloading Agent-less Security through Integration with VMM Unified Management G T I SIEM Secure Data at Rest Encryption & Database Security Securing data at Storage Virtual Network Security Advanced Evasion Prevention Virtual Intrusion Prevention Virtual Next Generation Firewalls Secure Data in Motion Content & Context Visibility Virtualized Network Protection

19 Unified Management Open APIs Partner Ecosystem Unified Management Automated Compliance Auditing (Policy Auditor/ Vulnerability Manager) Management (Unified Command Center) Alerts Notifications Reporting SLAs Unified Management Across Physical Virtual and Cloud Access from anywhere via web-based UI Highly Extensible Leverage partner ecosystem APIs to adapt to changing market and business requirements End-to-end Visibility and Control Insight into policies and compliance posture across applications, endpoints, servers and networks SIEM for situational and context awareness Regulations Frameworks Standards SOX ISO PCI DSS HIPAA COBIT CIS GLBA NIST NIST FISMA FDCC DISA STIGS McAfee Confidential Internal Use Only

20 Global Threat and Vulnerability Intelligence Threat Reputation Network Security Mobile Security Web Security Mail Security Endpoint Security Database Security 3rd Party Feed.

21 Cloud Based Unified Security Management Platform See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? Big Security Data DB Applications Visualize, Investigate, Respond Advanced Correlation Engine GLOBAL THREAT LANDSCAPE Threat intelligence feed Immediate alerting Historical Analysis Dynamic Context Content Aware Traditional Context Log Management Scalable Architecture ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Risk Advisor epolicy Orchestrator Database OPTIMIZED High Speed Intelligent Correlation

22 Delivering Secure Cloud Services

23 Delivering Cloud Computing Cloud Partners Cloud Vendors Applications Customers Data Loss Intrusion Authentication Web Data Loss Intrusion Enterprise Mobile Users Enterprise Users Private Cloud Applications

24 Secure Cloud Service Delivery Modules Partners Unified Management, Policy and Reporting, Integration Identity Management Security Cloud Ecosystem Cloud Vendors Applications Authentication Web Data Loss Prevention Global Threat Intelligence Cloud Security Platform Customers Services API Gateway Web Security SaaS or Appliance Mobile Users Enterprise Enterprise Users Private Cloud Applications

25 Cloud Access Challenges-Identity Management Multiple Logins / Weak Security Lack of Visibility Manual Provisioning Single Sign On (SSO) & Strong Authentication Centralized Management Console Auto Account Provisioning & Profile Sync ID Infrastructure Integration Audit Silos Scalable, Federated Trust AuthN & Provisioning Connectors AD & IAM Centralized Audit Logging Standards Based

26 Identity Management with Strong Authentication SSO Provisioning Strong Auth Enterprise Provision Access Adaptive Strong Auth Secure SSO Regulatory Compliance Provision/de-provision user accounts AD integration Sync Id Profiles Selectively apply 2 nd factor OTP AuthN Variety of software AuthN methods and devices- mobile devices, SMS, Federate windows/ AD login To popular SaaS like Salesforce and Google Apps Rich audit trail of user login showing AuthN level De-provision and orphan account reports

27 Deployment to the cloud 1. Account Provisioning 2. Browser Federation/SSO Old Enterprise Perimeter Dynamic Perimeter Account Provision IdM or Active Directory Portal / Apps Internal Session Cloud Identity Manager Service API Calls Provisioning Policy Cloud SSO SSO Request Custom Apps User Browser Bring secured, monitored cloud endpoints under enterprise IT control

28 Deployment to the cloud Step Central up Monitoring, OTP Strong Auth Audit, Privacy Settings Old Enterprise Perimeter Dynamic Perimeter IdM or Active Directory Audit Repository Portal / Apps OTP Strong Auth Cloud Identity Manager Cloud SSO Cloud SSO Mgt Console Custom Apps User Browser Bring secured, monitored cloud endpoints under enterprise IT control

29 Secure Cloud Service Delivery Modules Partners Unified Management, Policy and Reporting, Integration Identity Management Security Cloud Ecosystem Cloud Vendors Applications Authentication Web Data Loss Prevention Global Threat Intelligence Cloud Security Platform Customers Services API Gateway Web Security SaaS or Appliance Mobile Users Enterprise Enterprise Users Private Cloud Applications

30 Diverse Apps are Exposed as Services & APIs to Consumers Consumers Services Abstraction Pattern App Types Citizen A P I Unemployment Tax payment WOA REST egov Employee/Partner A P I Order status Inventory SOA Supply Chain Developer A P I Applications Components App Store Web 2.0 Operations A P I Configure Capacity Monitoring IaaS/PaaS Cloud

31 APIs are everywhere Cloud Provider API Leverage third-party services API Shielding API Cloud Provider Applications move off premise Fast Changing Cloud APIs Enterprise

32 A Service Gateway Broker Model Makes a lot of sense Cloud Provider API Cloud Provider Enterprise APIs can be exposed, consumed, and proxied to a Service Gateway to offload security & communicate with back end infrastructure vs point to point integration

33 Secure Cloud Service Delivery Modules Partners Unified Management, Policy and Reporting, Integration Identity Management Security Cloud Ecosystem Cloud Vendors Applications Authentication Web Data Loss Prevention Global Threat Intelligence Cloud Security Platform Customers Services API Gateway Web Security SaaS or Appliance Mobile Users Enterprise Enterprise Users Private Cloud Applications

34 PROTECT EVALUATE ANALYZE SOURCE Data Loss Prevention At Rest In Use In Motion DLP Discover: Find and Inspect DLP Monitor: Capture Policy Intelligence Admin Action Policy Application DLP Prevent: Enforcement User Action Encrypt Block Monitor Educate Move

35 Protection In Cloud Delivery Platforms Mobile Devices (Appliance, Virtual Appliance, SaaS, Blade Server, and Hybrid) Simplified Cost Model Unified Policies &Quarantines Protection Business Continuity ( and DLP) Layered Protection (Maximized scalability and security)

36 Web Protection In Cloud Delivery Platforms Mobile Workers & Devices (Appliance, Virtual Appliance, SaaS, Blade Server) Pricing Consistency Common Policy Web Protection Security Services Common Reporting (Web Filtering, Gateway Antimalware, GTI, DLP, SSL, App Control)

37 Modules Summary: Key Attributes of Secure Cloud Services Partners Mobile Users Cloud Vendors Services Gateway Security Cloud Ecosystem Applications Customers Authentication Data Loss Web Prevention Global Threat Intelligence Cloud Security Platform Enterprise Enterprise Users Identity Management Web Security Private Cloud Applications SaaS or Appliance More Flexibility Modular based On-premise, SaaS or virtual Protect headquarters, remote offices and mobile users Easier to Manage Consolidated solution Centralized reporting through Unified Management Open platform to integrate existing solutions Greater Protection Creates secure bridge covering primary Cloud traffic channels Consistent protection & policies across web, identity & Real-time protection via Global Threat Intelligence

38 Government laws regarding data security and controls Indian IT Act 2000 (Amendment 2008) Section 43A of the Information Technology (Reasonable security practices and procedures and sensitive personal data information) Rules 2011 The provision require any corporate bodies which 'receives, possesses, stores, deals, or handles any 'sensitive personal data' to implement and maintain 'reasonable security practices', failing which, they are held liable to compensate those affected Section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract. Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. Some of the links are as follows: Other Security Frameworks: ISO 27001, NERC etc. 38

39 Securing Cloud Infrastructure & Services- Summary Cloud Security Survivability= Speed of Detection + Speed of Response 39

40 Q&A 40