2012-04-05 Cloud Security Securing what you can t touch www.huawei.com www.huawei.com Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.
Why worry about cloud security? HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 2
Yesterday, security was easy LAN HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 3
Today, security is more complicated Internet LAN HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 4
Cloud brings new security challenges Virtualization FOR Security Blurring perimeter Geo-Fencing Unmanaged Endpoints Security of Virtualization Geo dispersion Data location Local Regulations Multi-Tenancy Trend Challenges Source: Huawei Forensics Virtualization OF Security Inter-VM attacks Isolation Compliance Virtual Security Appliances Dormant VMs Introspection APIs Consolidated Workloads Loss of control Compliance Data-Centric Security Forensics Data Privacy & Integrity VIRTUALIZED DATACENTER PUBLIC CLOUD HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 5
Security Challenge: Find the Gaps HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 6 Source: Cloud Security Alliance
Top Threats to Cloud Computing Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 7 Copyright 2010 Cloud Security Alliance
Understanding risk is difficult HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 8
Security: Sorting out the risks Regulation Compliancy OAM Security Meet government/industry requirements Protection against for administration actions Data Security Network Security Virtualization Security Basic platform Security Physical Security Securing critical information storage Establishing trusted network connections Isolating virtualization problems Protecting hardware and network Ensuring the security of the data center against intrusion HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 9
Huawei Layered Approach Physical Security Infrastructure Network Management Virtualization Application Regulatory Application Security HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 10
First: Create a security plan Find an experienced partner Define requirements Document attack vectors Plan defense-in-depth Test on paper Implement 3 rd Party black box test HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 11
Data Center Security Protect the Jewels Secure location Diverse, protected utilities Robust building construction Site entry control Building entry control Data center entry control Biometrics Man trap 2-Factor authentication Source: CSO Online HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 12
Cloud Environment Security Network Security Security Domain Division and Network Isolation.(vLAN, vfirewall ) Border Protection.(anti-DDOS,IDS/IPS ) Transmission Security.(SSL/VPN ) Data Security Isolation of User Data Data Access Control Information Protection Computing Storage LB L2 Switch L3 Switch FW Internet storage Storage Server IPSec/SSL IDS/IPS Edge Router Anti-DDoS Encode Decode Encode Token Token management Virtualization Security VM isolation. Hypervisor security. VM protection.(antispoofing ) App/OS App/OS App/OS vstorage vstorage vlan APP APP OS OS User Security Identify and Access Control. Priority Management. Operation Log. OS/DB security enhancement/anti-virus App/OS vswitch HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 13
Application security: Must be Built in Data separation dedicated databases for applications User authentication two-factor identification Role-based access limit user and admin capabilities Exploit protection ensure compliance with Open Web Application Security Project (OWASP) Top 10 Application patching automated and monitored Data encryption by the application with secure control of user keys Application Security HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 14
Huawei SingleCLOUD Security Perimeter Eudemon firewalls, IDS/IPS, Anti-span, Anti-virus, Security Zones Cloud Software Network VM Protection: vfirewall, vids/ips, inter-vm protection, security zones OS Protection: pre-hardened, central patching Storage Protection: VM association, clearing, encryption Admin Protection: role-based security, multi-factor ID, logging HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 15 VLANs, SSL, VPC
Huawei Security Products Security Service... Software Security Management Secospace Suite Terminal Security Asset Management Access Control Software Distribution Patch Management Log Audit Authentication Service Employee Behavior Management Firewall/VPN... Intrusion Detection System... USG 50 SVN 3000 SSL VPN NIP100 Eudemon 100E/200/200S USG 3030/ 3040 NIP200 Eudemon 300/500/1000 Eudemon 8080/8040 NIP1000 Service Inspection... Gateway SIG 1000 SIG 9280 HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 16
Security Fabric in Huawei R&D Cloud Top-secret Zone R&D Zone Non-R&D Zone Cloud Data Center AD SPES DNS AD SPES DNS Internet / Intranet Shanghai R&D Shenzhen R&D T6000 T6000 Specification: 2 Blades / 2U 2 CPUs / Blade 18 DIMMs / Blade 4-6 HDDs / Blade 2*10GE / Blade VM Specification: Vcpu: 2GHz RAM: 2G vstorage: 160G HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 17
Summary IT security is complicated Cloud increases complexity Solution is a systems problem Good partners are key to successful security HUAWEI TECHNOLOGIES CO., LTD. Huawei proprietary. No copying without permission. Page 18
Thank you www.huawei.com Copyright 2011 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.