Ayala summit2013
42
Ayala Summit 2013, Philippines 12345678 A8BCD65E FD CD 386 FD35DCB5CD8 48D3563 B88B8 5DC Copyright 2013 FUJITSU LIMITED William Ho Regional Senior Consultant BCCE, BCCLA, CBCP, CCSKV2.1, CCSKV3, CISA, CISM, CRISC, CITPM, MBCI, ITIL,VCP, TOGAF
-
Upload
william-ho- -
Category
Marketing
-
view
47 -
download
1
Transcript of Ayala summit2013
Ayala Summit 2013, Philippines
��������A�BCD��EF�D��CD
���������������FD���DCB�CD�� ����D���������B�����B���D�C�����
Copyright 2013 FUJITSU LIMITED
William Ho
Regional Senior ConsultantBCCE, BCCLA, CBCP, CCSKV2.1, CCSKV3, CISA, CISM, CRISC, CITPM, MBCI, ITIL,VCP, TOGAF
Ayala Summit 2013, Philippines
Agenda
�Introduction
�Addressing the Concerns and Challenges
�Security Assessment
�Threat Modeling and Suggestions
�Network of Virtual Environments
�Data Security and Mitigations Suggestions
�People Related Implications
�PCI and Cloud Computing
�Q&A
���ED���� !"#$%&��A%'�(���)2
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
�������� AB�C�D�
Prepared for the JourneySecurity is still a Major Concerns
Ayala Summit 2013, Philippines
Top 10 Strategic Technology Trends for 2013
Cloud is becoming a mainstream
computing style and delivery option with
hybrid cloud, cloud brokerage and new
delivery, management, and security
options accelerating adoption.
Copyright 2013 FUJITSU
Ayala Summit 2013, Philippines
Concerns
� A����*���D��D�B��B�D���+�C���BCD��E*B�,�����B����
B����B�����E���C����B��C��-.C+��B*.D�����*/E+D��01������
B����2C��B�F�D�������,�3�D��E�FB��C���FD���DCB�CD�
�����E,����4
Source: Top 10 Strategic Technology Trends for 2013, Gartner April 2, 2013
Copyright 2013 FUJITSU
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Threats
Modeling
Threats
Modeling
Addressing the Concerns and Challenges
• Threats and Mitigations
• Protection of Data, Security and MitigationsSecuritySecurity
Clear
Objectives
Clear
Objectives• Security Assessment
• Division of Roles and ResponsibilitiesRoles &
Responsibilities
Roles &
Responsibilities
8 Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Self Assessment of Security Requirements
10 Copyright 2013 FUJITSU LIMITED
Source : Cloud Security Alliance
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Threat Modeling Example
Threat Description Example
Spoofing Assume identity of client, server or request/response
Phishing attack to fool user
into sending credentials to fake site
Tampering Alter contents of request of response
Message or data integrity
compromised to change parameters or values
Repudiation Dispute legitimate transaction Illegitimately claiming a
transaction was not completed
Information Disclosure Unauthorized release of data Unencrypted message sniffed off the network
Denial of Service Service not available to authorized users
System flooded by requests until web server fails
Elevation of privilege Bypass authorization system Attacker changes group membership
12 Copyright 2011 FUJITSU Asia Pte., Ltd.
Ayala Summit 2013, Philippines
Example Mapping Threat Model-Mitigations
Threat Security Service
Spoofing Authentication
Tampering Digital Signature, Hash
Repudiation Audit Logging
Information Disclosure Encryption
Denial of Service Availability
Elevation of privilege Authorization
13 Copyright 2011 FUJITSU Asia Pte., Ltd.
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Challenges for Networks of Virtual Environments
� Consolidate physical servers using virtualization software- Reduce physical servers- Realize central consolidation
services, organizational changes, etc.)
Flexible Operations
Is flexible response to requirement changes
such as addition and update of business
systems available? (Upon provision of new
services, organizational changes, etc.)
Challenge 1
However, when configuring business systems in a virtual environment, challenges exits!!
System Reliability
Are “security”, “safety”, and “stability" of the
business systems ensured?
Challenge 2
network devices and the locations of errors?
Visualize Virtual Environments
When a trouble occurs in communications
between business systems, is it possible to
confirm the operational status of configured
network devices and the locations of errors?
Challenge 3
Virtualization Software
(VMware, Hyper-V, etc.)
Consolidate & Virtualize
Servers
Plant B
Plant A
Headquarters
Office A
Office B
Office C
Copyright 2013 FUJITSU15
Resource pool of physical servers leveraging Virtualisation
Ayala Summit 2013, Philippines
Establish Flexible Operations (Approach to Challenge 1)
� Templates enable quick creation of business systems to respond to the urgent launch of a new business
� Automatic network configuration enables quick configuration of networks without specialized knowledge
Copyright 2013 FUJITSU16
Simplified addition and modification to business systems,
including complicated network reconfiguration
When preparing a 3-tier system for example…
System design?
Device configuration?
DMZ (Web) AP DB
FirewallServer Load Balancer
Storage
Servers
Normally
Using Orchestration & Automation:
Possible to quickly prepare business systems including networks, from the GUI!!
Administrator
Setup is
fast
Network
FirewallServer Load Balancer
Web tier AP tier DB tier So much work is involved!!
Supported devices?
Difficult to prepare it in a short time
Web
tierAP
tier
DB
tier
Resources (devices) are automatically selected
according to the system configuration
By using a template, no need to
perform "system design"!!
Automatic configuration of devices during creation
of systems
Administrator
Ayala Summit 2013, Philippines
Ensure System Reliability (Approach to Challenge 2)
Copyright 2013 FUJITSU17
� ���������AB�A�C��DEA�F����C���AB�A�������������A�C��������A�����E���������FE��E������E�����������E�����BEA�����DEA�F����C����A��E�������������������E������
��BE��
�������� !" �#
$%�������D�&�����'��DE��A��E��
&�AB�A�(����#������A
&��A���
#�E���&�AB�A
!����'���A��
!����AE)���*�A
*������AE)���*�A
'������+���A���"���,EA�F���
(����#�����E��
�������DEA�F���������AB�A�������������A����������
Ayala Summit 2013, Philippines
Visualize Virtual Environments (Approach to Challenge 3)
Copyright 2013 FUJITSU18
� Quickly identify error locations during problems such as service interruptions, enabling a prompt recovery response and reduced service downtime
DMZ (Web) AP DB
Example
device
configuration
Storage
Firewall[ASA5500 Series]
L2 Switch
Business Servers
Admin Server
Periodical Checks (*2)
1. Trouble occurs!
3. Confirm the status change
Identify the device!!(*1)
InfrastructureAdministrator
2. Problem Detected
5. Check the status on5. Check the status on
the Resource Details
window
4. Click the device name
Identify the locations of devices with errors configured in a
virtual environment and detect status changes
*1: The trouble can be confirmed also from messages notifying of status changes which are output in
the event log as well as the icon change.
*2: Devices registered as network devices are monitored.
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
WHERE IS MY DATA
20
Your Data
Unstructured dataFile SystemsOffice documents,PDF, Vision, Audio & other
Fax/Print ServersFile Servers
Business Application Systems (SAP, PeopleSoft, Oracle Financials, In-house, CRM, eComm/eBiz, etc.)
Application Server
Structured data
Database Systems(SQL, Oracle, DB2,
Informix, MySQL)Database Server
Security & Other Systems(Event logs, Error logs
Cache, Encryption keys, & other secrets)Security Systems
Data CommunicationsEg. VoIP SystemsFTP/Dropbox ServerEmail Servers
Storage & Backup Systems
Eg. SAN/NASBackup Systems
������������A�B�CC�D�A��CEDF����AB��A�F�A��D��E��ED���AE��A������������������A��AB��E���E����D����������������D�������
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
Considerations
�5�������1���+����D��
�5��1���+��BB������
�5��D�1�����+����D��
�5���B���D����D������B�
�5����D�������+��F�D��BCD��E
�5���������)����6��C�������B�F�B������F��,�
�(������B�,�����B�*7��C������*��B
DataDataDataDataCreationCreationCreationCreationDataDataDataDataSecuritySecuritySecuritySecurityLifecycleLifecycleLifecycleLifecycleForForForForCloud ComputingCloud ComputingCloud ComputingCloud ComputingDataStorageDataDataDataDataUsageUsageUsageUsageDataDataDataDataSharingSharingSharingSharingDataDataDataDataArchiveArchiveArchiveArchive
DataDataDataDataDisposalDisposalDisposalDisposal
21 Copyright 2011 FUJITSU Asia Pte., Ltd.
Ayala Summit 2013, Philippines 22
DATA SECURITY LIFECYCLE
Source: Security Guidance for Critical Areas of Focusin Cloud Computing V3.0, Information Management & Data Security
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 23
This may also be known as Create/Update because it applies to
creating or changing a data/content element, not just a document
or database. Creation is the generation of new digital content, or
the alteration/updating of existing content.
Consideration (examples)
Ownership
Classification
Rights Management
���������A�B�CAD��B�C�
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 24
Storing is the act committing the digital data to some sort of
storage repository, and typically occurs nearly simultaneously with
creation.
Considerations (Examples)
Access Controls
Encryption
Rights Management
Isolation
���������A�B�CAD��B�C�
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
rmt/0- Utilization
0
5
10
15
20
25
30
35
40
45
2:00
2:03
2:10
2:25
2:40
2:55
3:10
3:25
3:40
3:55
4:10
4:25
4:40
4:55
5:10
5:25
5:40
5:55
6:10
6:25
6:40
6:55
7:10
7:25
7:40
7:55
8:10
8:25
8:40
8:55
9:10
9:25
9:40
9:55
27/03/01 - 28/03/01
Pe
rce
nta
ge
(%
)
%wait
%busy
25
Data is viewed, processed, or otherwise used in some
sort of activity
Considerations (Example)
Internal/External
Third Parties
Appropriateness
Compliance
���������A�B�CAD��B�C�
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 26
Data is exchanged between users, organisations, groups and
individual.
Considerations (Examples)
Internal/External
Third Parties
Purposes
Compliance
Locations
���������A�B�CAD��B�C�
Local Mirroring (RAID 1)
Remote(Offsite) Replication
�������������
Server Server
Primary Replica
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 27
Data leaves active use and enters long-term storage.
Considerations (Examples)
Legal/Law
Sites/Locations
Media type
Retention
Ownership
���������A�B�CAD��B�C�
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 28
Data is permanently destroyed using physical or digital means
(e.g., cryptoshredding).
���������A�B�CAD��B�C�
Considerations (Examples)
Secure
Complete
Assurance
Proof
Content Discovery
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 29
�EECA���AF� �����EC���
Illustrations of application for Data Security Lifecycle:
Data-Impact (useful for Data Classification)
Data Security Lifecycle (useful for RACI)
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 30
���EC��� �������EC��
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines 31
���EC�����������EC��
Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
Sharing other approaches/scenarios
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Logical Platform ADivision A
Segregation & Isolation
� The Access Control Feature controls the access between tenants and platforms
� Address Translation Function can hide secure server information
� The IPS feature protects each platform from flooding-attacks
Physical ServerPhysical Server
・・・
Server
Deploy
Server
Service user of division B
Logical Platform
Division B
Internet
Improved network security for customers, projects & divisions
Logical Platform B
NS Appliance(*)NS Appliance(*)
Server
Physical ServerPhysical Server
・・・
NS Appliance(*)NS Appliance(*)
Copyright 2013 FUJITSU33
Ayala Summit 2013, Philippines
Data Protection- Encryption
� Encrypts drive data
Encrypt confidential information in drives
EncryptionEncryption is specified
on a LUN basis
Encryption
Unencrypted data
Encryption
Encryption
Encryption Encryption
Encryption Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption setting and management
Prevents information leakage
Server A Server B Server C
unique encryption scheme- Less performance degradation than 128bit AES- Closed unique technology ensures the
safety
Encryption
AES (Advanced Encryption Standard) is an encryption standard of the Federal Information Processing Standards
Data removal
protection
Storage
34 Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
���������������A
De-Coupling
Client AOffice Users
Client A Remote Users
Client APhysical App Server
Client APhysical DB Server
Client APhysical Web Server
Client AVirtual App Server
Client AVirtual DB Server
Client AVirtual Web Server
�B�A�C��D�E�F�A��A
A B�A�C��D�E�F�A��A
�B�A�C������F�A��A
AB�A�C������F�A��A
AB�A�C�����F�A��A
�B�A�C�����F�A��A
�B�A�C��D�E�F�A��A
��������A
�B�A�C��D�E�F�A��A
A B�A�C��D�E�F�A��A
�B�A�C������F�A��A
AB�A�C������F�A��A
AB�A�C�����F�A��A
�B�A�C�����F�A��A
�B�A�C��D�E�F�A��A
�������A
Client AStorage
encryption
SAN
SAN
Cloud B
Cloud A���A��������
VPN/SS
L/
IPSEC
VPN/SS
L/
IPSEC
Internet
�A��������
� #8 �
Ayala Summit 2013, Philippines
Client and Application zone
ServersFile Server zone
Security ApplianceEnables
File Security
Data-Key Separation
Additional layer of ACL
AES 256bit Encryption
SCB2 128bit Encryption
Data Encryption on write
Data Decryption on Read
36 Copyright 2013 FUJITSU LIMITED
� Data in Server is encrypted
Hacking into Server will only get encrypted Data
� No keys are exposed
outside of the environment boundary
Ayala Summit 2013, Philippines
Leveraging Application Concepts
� 9��1�D:�������B�
9A�������B������D�C����BCD��E�������B�1��B����CD�����1�D:��BCD��E
�F��D�C���;��,C�������D�E���,�
37 Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
Firewall
Server Load
Balancer
Web
Server
Application
Server
Application
Server
Database
Server
VLAN1001
VLAN1002
VLAN1003
Distribute requeststo two web serversin round-robin fashion
Only HTTPScommunicationto SLB is permittedto access fromoutside the network.
Leverage Load Balancer Functionality
� Example of a 3-tier system configuration
WebServer
Communicationis permitted betweeninternal segments.
Communicationis permitted betweeninternal segments.
38 Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
� Introduction
� Addressing the Concerns and Challenges
� Security Assessment
� Threats Modeling and Mitigations Suggestions
� Network of Virtual Environments- Suggested considerations
� Data Security, Concerns and Suggestions
� People Related implications and Mitigations
Ayala Summit 2013, Philippines
Roles and Responsibilities
40 Copyright 2011 FUJITSU LIMITED
Capacity Management
• Workload placement
planning
• Service continuity mgmt
Service Developers:
• APIs, connectors,
Java
• Integration
Sourcing Management
• Multi-supplier mgmt
• Service governance
• Financial controls
• Comparative analysis
Security professionals
• Information Security
Mgmt
• Sourcing security
Service Managers
• Service portfolio mgmt
• Service governance
• Financial Costing /
cost recovery model
• Service brokerage
Business Relationship Mgmt
• Business Analyst
• Demand management
• Benefit realization
• Cloud Alliance Manager
Cloud Federation &
Aggregation
• Technologist &
cloud federation
architect
Enterprise Architecture Team
• Cloud Computing Architect
• Virtualization SME
Governance & Compliance
• Risk Management
• COBIT, Controls, policies,
processes, procedures
• Internal Audit
• Cloud Risk and
Compliance
Ayala Summit 2013, Philippines
People Related Security
• Division of Roles and ResponsibilitiesRoles &
Responsibilities
Roles &
Responsibilities
41 Copyright 2013 FUJITSU LIMITED
Ayala Summit 2013, Philippines
