Don t Forget Your Security Umbrella in the Cloud Richard Sheng Director of Product Marketing, APAC
Why the cloud matters? Speed and Business Impact Expertise and Performance Massive Cost Reduction 1) The Cloud Imperative If by mid-year you have not developed and begun to execute upon an ambitious an enterprise-wide cloud strategy, then by year-end the odds are good you'll no longer be a CIO. Global CIO: The Top 10 CIO Issues For 2010 InformationWeek, 21 December 2009
The Evolving Datacenter Stage 1 Consolidation Stage 2 Biz Applications & Desktop Stage 3 IaaS + Public Cloud Cost-efficiency + Quality of Service + Business Agility Servers 85% 70% 30% 15% Desktops Datacenters are evolving to drive down costs and increase business flexibility
Substance Emerging From Cloud Hype Cloud Computing Reduces Costs, Increases Agility Public Cloud for Backup & Storage Using public cloud services, GE reduced backup costs by 40% to 60%, created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009) Pharmaceutical R&D and The Cloud Drug behemoth Eli Lilly and Co. uses Amazon's Elastic Compute Cloud (EC2) for scientific collaboration and computations because they empower many subsets of users. SearchCIO.com, 30 July 2009 Top 10 Strategic Technologies in 2010 Cloud Computing. Organizations should think about how to approach the cloud in terms of using cloud services, developing cloud-based applications and implementing private cloud environments. SearchCIO.com, 22 October 2009 Cloud Computing & Security CISOs and Security Architects: Don't let operations-led projects lower your security profile. Engage in a discussion of the issues now, not after the fact. Neil MacDonald, IT Reserach Firm, December 2009
Spending In Cloud Computing IDC Predicts IT spending on cloud to reach 10% by 2013 Information Week IT Survey: 17% in public cloud 30% planning for private cloud 25% spending at 20% of total budget Trend Micro Confidential8/13/2010 4
Agenda Datacenter & Cloud Security Vision The Cloud Computing Evolution Security Challenges in the Cloud A New Architecture for Datacenter Security Classification 8/13/2010 5
Cloud Computing Compromises Jan 2010: Oct 2009: Oct 2007: Google Gmail hacked by attacks originating in China (Financial Times) Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service attack (The Register) Salesforce.com security breached. Repeatedly hacked (Washington Post) Enterprise security challenges continue in the cloud 6
The #1 concern about cloud services is security. Key Challenges/Issues to the Cloud/On-demand Model Source: IDC exchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009
Problem #1: Outside-in approach and rapid virtualization have created less secure application environments Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace. Addressing the Most Common Security Risks in Data Center Virtualization Projects IT Research Firm 8
Virtualization & Cloud Computing Create New Security Challenges Inter-VM attacks PCI VM Mobility Cloud Computing Hypervisor New Challenges Require a New Security Architecture 9
Inside-Out Model Server & application protection for: PHYSICAL VIRTUAL CLOUD IDS / IPS Deep Packet Inspection Web App. Protection Application Control Malware Protection Integrity Monitoring Log Inspection Firewall 10
Trend Micro Deep Security: Co-ordinated Approach Optimized protection Operational efficiency Security virtual appliance Efficiency Manageability Security VM Hypervisor Agent-based Security Protection Mobility Classification 8/13/2010 Copyright 2010 Trend Micro Inc. 11
Security Challenges Along the Virtualization Journey Consolidation of IT Business Production IaaS + Public Cloud Data destruction Multi-tenancy Diminished perimeter Data access & governance Data confidentiality & integrity Compliance / Lack of audit trail Resource Contention Mixed trust level VMs 12 11 10 9 8 7 6 5 Instant-on gaps 4 Inter-VM attacks 3 Host controls under-deployed 2 Trust levels inhibit consolidation 1
Problem #2 Data protection is the most pressing concern, but data is mobile, distributed and unprotected. Any data leaving the data center be encrypted, which includes cloud services. 13
Amazon Web Services Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (3 March 2010) The cloud customer has responsibility for security and needs to plan for protection. Trend Micro Confidential8/13/2010 14
Who Has Control? Servers Virtualization & Private Cloud Public Cloud IaaS Public Cloud PaaS Public Cloud SaaS End-User (Enterprise) Service Provider Trend Micro Confidential 8/13/2010 15
Challenge of Securing Data Datacenter Cloud Perimeter Company 1 Company 2 Company 3 Company 4 Company 5 Company n App 1 App 2 App 3 App 1 App 2 App 3 App 4 App 5 App n Hypervisor Hypervisor Strong perimeter security No shared CPU No shared network No shared storage Weak perimeter security Shared CPU Shared network Shared storage Traditional outside-in approach is inadequate in an inside-out cloud world full of strangers Classification 8/13/2010 16
Enterprise Controlled Data Protection for the Cloud Patent pending Trend Micro technology enables enterprises to retain control of data in the cloud Trend Micro Confidential8/13/2010 17
Security Challenges Along the Virtualization Journey VMware and Trend Micro help customers address these issues, and accelerate the journey Consolidation of IT Business Production ITaaS Data destruction 12 Multi-tenancy 11 Diminished perimeter Data access & governance 10 9 Data confidentiality & integrity 8 Compliance / Lack of audit trail Resource Contention 7 6 Mixed trust level VMs 5 Instant-on gaps 4 Inter-VM attacks 3 Host controls under-deployed 2 Trust levels inhibit consolidation 1
Key Take-Away for Cloud Security 1 Traditional security model for the physical environment will NOT work in a virtualized one. 2 Cloud service providers will NOT guarantee confidentiality and integrity of your data. Trend Micro Confidential8/13/2010 19
Agenda Datacenter & Cloud Security Vision The Cloud Computing Evolution Security Challenges in the Cloud A New Architecture for Datacenter Security Classification 8/13/2010 20
Trend Micro Customer Successes Virtualization and Cloud Computing Workstream Enabled business scalability while maintaining security as a differentiator Secure HR applications and data for the Fortune 100 Premier provider of talent management solutions 24X7 SAS-70 & SOX compliant HR services center Deep Security enabled a massive virtualization program; Reduced 600 servers to 20 Beth Israel Deaconess Enabled access to cutting-edge health care applications and data Secure On-Demand Electronic Health Record Solution The teaching hospital and network of a major medical school Private external cloud delivers SaaS EHR applications and data for network of 300 physicians across 173 locations Trend-setter for provider-sponsored EHR/HIPAA initiatives Deep Security our most important security layer
Trend Micro Customer Successes Virtualization and Cloud Computing Leading Australian Bank Enabled IT operations team to comply with corporate IT security standards Secure Virtualized Banking Datacenter Leading financial institution providing retail, business, and wealth management services. 400+ branches with 90% virtualization Experienced AV-storm. IT operation-led project continued w/o lowering security profile. Australian Government Enabled advancement of datacenter virtualization to meet Gershon Review. Secure Informed Decision-Making and Research One of the most virtualized government entities in Australia One of the most virtualized government entities in Australia 96% of the datacenter virtualized. Protect inter-vm traffic and audit system changes within VMs.
Trend Micro Security Enables The New Era Future Proof Facilitates evolution from datacenter to the cloud Business Power Avoids lock-in & enables portability between cloud providers Control Enterprise retains control of the data in the cloud
Thank You