Mikhail Kader [email protected] Securing the Public & Private Cloud.
-
Upload
mark-barrie-sutton -
Category
Documents
-
view
226 -
download
11
Transcript of Mikhail Kader [email protected] Securing the Public & Private Cloud.
© 2010 Cisco Systems, Inc. All rights reserved. 2
Objectives
Discuss Cloud Computing Service Delivery & Deployment Models, Specific to Security
Analyze Current Threats, Vulnerabilities, Solutions and Opportunities
© 2010 Cisco Systems, Inc. All rights reserved. 3
The Cloud
© 2010 Cisco Systems, Inc. All rights reserved. 4© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
The Technical View of Cloud
© 2010 Cisco Systems, Inc. All rights reserved. 5© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
...Everything is Cloud
The Consumer’s View of Cloud
© 2010 Cisco Systems, Inc. All rights reserved. 6© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Application(SaaS)
Platform as a Service
Infrastructure
as a Service
EnablingTechnology
Platform as a Service
Execution Platforms at Scale(Developers)
Infrastructure
as a Service
Infrastructure at Scale(System Administrators)
EnablingTechnology
Cloud Service Delivery at Scale(Public / Private Cloud
Providers)
Application(SaaS)
Applications at Scale(End users)
Cloud Deployment ModelNIST Deployment Models
© 2010 Cisco Systems, Inc. All rights reserved. 7© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Cloud Deployment Model
Public Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that
interoperate or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and
supporting a specific community
NIST Deployment Models
© 2010 Cisco Systems, Inc. All rights reserved. 8© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal Resources
All cloud resources owned by or dedicated to enterprise
External Resources
All cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing between Ownership and Control
© 2010 Cisco Systems, Inc. All rights reserved. 9
Cutting Through the Fluff: The SPI Cloud Model
Three archetypal models that people talk about about when they say “Cloud:”
© 2010 Cisco Systems, Inc. All rights reserved. 10
Cloud Model :: Infrastructure as a Service (IaaS)
© 2010 Cisco Systems, Inc. All rights reserved. 11
Cloud Model :: Platform as a Service (PaaS)
© 2010 Cisco Systems, Inc. All rights reserved. 12
Cloud Model :: Software as a Service (SaaS)
© 2010 Cisco Systems, Inc. All rights reserved. 13
Lots Of *aaSes...Variations On a Theme
*David Linthicum: Defining the Cloud Computing Framework http://cloudcomputing.sys-con.com/node/811519
Storage as a Service
Database as a Service
Information as a Service
Process as a Service
Integration as a Service
Security as a Service
Management as a Service
Testing as a Service...
© 2010 Cisco Systems, Inc. All rights reserved. 14
What This Means To Security
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
RFP/Contract It
In
RFP/Contract It
In
Build It InBuild It In
© 2010 Cisco Systems, Inc. All rights reserved. 15
Some Things Are Cloud Candidates...
Cloud Ready?
When the processes, applications and data are largely independent
When the points of integration are well defined
When a lower level of security will work just fine
When the core internal enterprise architecture is healthy
When the Web is the desired platform
When cost is an issue
When the applications are new
© 2010 Cisco Systems, Inc. All rights reserved. 16
...Others Not So Much
Not so Cloud Ready?
When the processes, applications and data are largely coupled
When the points of integration are not well defined
When a high level of security is required
When the core internal enterprise architecture needs work
When the application requires a native interface
When cost is not an issue
When the applications are legacy
© 2010 Cisco Systems, Inc. All rights reserved. 17
...Peeling Back the Covers
The things that go bump in the night:
Single Tenancy / Multi-tenancy
Isolated Data / Co-mingled Data
Dedicated Security / Socialist Security
On-premise / Off-premise
© 2010 Cisco Systems, Inc. All rights reserved. 18
A Typical Large Enterprise’s Forward-Looking Journey to the Cloud
© 2010 Cisco Systems, Inc. All rights reserved. 19© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Stand-AloneData Centers
Phase 1
Private Cloud
Phase 2 Phase 3 Phase 4
Public Cloud
Private Cloud
Public Cloud
Open Cloud
PRESENT ~2015-2017
Federation / Workload Portability / Interoperability
Inter-Cloud
Public Cloud #1 Public Cloud #2
Inter-CloudHybridCloud
Private Cloud Private Cloud
VirtualPrivateCloud
Laying Out the Timeline...
© 2010 Cisco Systems, Inc. All rights reserved. 20
The Fable of VirtSec & CloudSec
© 2010 Cisco Systems, Inc. All rights reserved. 21
Don’t Worry!
© 2010 Cisco Systems, Inc. All rights reserved. 22
Oh, Wait, Worry...
© 2010 Cisco Systems, Inc. All rights reserved. 23
No, But a Little Perspective...
We’ve rushed to embrace virtualization without solving many of its attendant security, privacy and management challenges in environments over which we have direct control of our information and infrastructure
We’ve brushed past real time infrastructure (RTI) which brings discipline and the technology needed for robust automation, autonomics, orchestration, provisioning , re-purposing and governance
Now we’re hustling to push to “The Cloud,” introducing new operational and business models, stretching technology and with a complete lack of standards?
© 2010 Cisco Systems, Inc. All rights reserved. 24
We Are Product Rich, But Solution Poor
What’s true with VirtSec is true withCloud, only more so.
Depending upon the type of Cloud, you may not get feature parity for security.
Your visibility and ability to deploy or have a compensating control deployed may not be possible or reasonable.
As it stands now, the abstraction of Infrastructure is really driving the cyclic shift from physical network controls to logical/virtual back into the host/guest
© 2010 Cisco Systems, Inc. All rights reserved. 25
Web3.0/Infrastructure 2.0?/Security 1.3a?
Mainframes
Client/Server
Web1.0
Web2.0
The Cloud
Achtung! Divergent Models
* Credit: Gunnar Peterson
© 2010 Cisco Systems, Inc. All rights reserved. 26
Requires “by the cloud”Requires “by the cloud”and “in the cloud”and “in the cloud”productsproducts
Few native virtualFew native virtualOOfferings fferings TodayToday
Many strongMany strongofferings todayofferings today
For the Cloud (Functions)
•IAM•AV•AS•WAF•…
In the Cloud (Products) •vFW•IDP•DLP•Policy•(id)Entity•…
By the Cloud (Services)
•ScanSafe•Ironport Email•...
Cloud security today?
© 2010 Cisco Systems, Inc. All rights reserved. 27
InfrastructureInfrastructure
InfostructureInfostructure
MetastructureMetastructure
Content & Context -Applications, Data/Metadata, Services
Glue & Guts - IPAM, IAM, SSL, BGP, DNS, etc.Sprockets & Moving Parts - Compute, Network, Storage
Cloudanatomy : Meet the Triplets
© 2010 Cisco Systems, Inc. All rights reserved. 28
These Sound Familiar...
InfrastructureInfrastructure
InfostructureInfostructure
MetastructureMetastructure
Application/WebApp Insecurity, SQL Injection
Chipset & Virtualization Compromise
BGP, SSL & DNS Hijacking
© 2010 Cisco Systems, Inc. All rights reserved. 29
...And So Do These
(t)rust
Availability
Confidentiality & Privacy
Visibility & Manageability
Let’s Highlight just a few ...
Portability & Interoperability
Reliability & Resiliency
Audit
Compliance
© 2010 Cisco Systems, Inc. All rights reserved. 30
...and What’s Old Is New(s) Again
Access Control
Data Leakage
Authentication
Encryption
Denial Of Service
Key Management
Vulnerability Management
One Cloud Forward, Two Steps Backward
Identity Management
Application Security
Database Security
Storage Security
Protocol Security by Politeness (BGP/DNS/SSL)
© 2010 Cisco Systems, Inc. All rights reserved. 31
Cloud Happiness :: Warm & Fuzzies
Centralized Data (sort of...)
Segmented data/applications
Better Logging/Accountability
Standardized images for asset deployment
Better Resilience to attack & streamlined incident response
More streamlined Audit and Compliance
Better visibility to process
Faster deployment of applications, services, etc.
The Cloud can provide the following security benefits:
© 2010 Cisco Systems, Inc. All rights reserved. 32
Cloud-Specific Stuff Emerging
Organizational & Operational Misalignment
Monoculture of Operating Systems, Virtualized Components & Platforms
Privacy Of Data/Metadata, Exfiltration and Leakage
Inability to Deploy Compensating or Detective Controls
Segmentation & Isolation In Multi-tenant environments...
© 2010 Cisco Systems, Inc. All rights reserved. 33
New Solutions To Old Problems
The Realities of Today’s CloudSec Solutions Landscape:
Whatever the provider exposes in the SaaS/PaaS/IaaS Stack (not much)
Virtual Security Appliances (VM-based)
Software in the Guest (If Virtualized)
Virtualization-Assist API’s (If Virtualized)
Integrating Appliances & Unified Computing Platforms (Network-based solutions)
Leveraging Chipset-Integrated Technology
Look for extensions of management and visibility solutions to lead - LOTS of APIs on the horizon
Look for standardized policy language and enforcement capabilities with VM’s as the de facto atomic unit of the Cloud
© 2010 Cisco Systems, Inc. All rights reserved. 34
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Let’s Revisit Our Examples : Public Clouds
Q: How do I take my catalog of compensating controls/best practices and apply them/integrate them in each of these environments?
A: You may not be able to (or need to)
© 2010 Cisco Systems, Inc. All rights reserved. 35
Mapping the Model to the Metal
Physical Physical Plant Security, CCTV, Guards
Compute & Storage Host-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
Applications SDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trusted ComputingHardware & Software RoT & API’s
Security Control Model
Cloud Model
Compliance Model
PCI
HIPAA
GLBA
FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...
SOX
Find the Gaps!
© 2010 Cisco Systems, Inc. All rights reserved. 36
The Cloud Security Alliance’s 13 Critical Areas Of Focus for Cloud:
1. Architecture & Framework
Governing the Cloud Operating the Cloud
2. Governance & Risk Mgmt
8. Traditional BCM, DR
3. Legal & Electronic Discovery
9. Datacenter Operations
5. Compliance & Audit 10. Incident Response
6. Information Lifecycle Mgmt
11. Application Security
7. Portability & Interoperability
12. Encryption & Key Mgmt
13. Identity & Access Mgmt
www.cloudsecurityalliance.org
Cloud Security Alliance - Guidance
© 2010 Cisco Systems, Inc. All rights reserved. 37
CloudAudit & the A6 Deliverable Provide a common interface
and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments
Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
http://www.cloudaudit.org
© 2010 Cisco Systems, Inc. All rights reserved. 38
Key Takeaways (From A Customer’s Perspective)
We already have most of what you need to make an informed set of decisions: Cloud Security comes down to the basics...
You have a risk assessment methodology, right? You classify assets and data and segment already, right?
Interrogate vendors and providers; use the same diligence that you would for outsourced services today; focus on resilience/recovery,
SLA’s, confidentiality, privacy and segmentation. See how they twitch.
The challenge is to match business/security requirements against the various *aaS model(s) and perform the gap analysis
Each of the *aaS models provides a delicate balance of openness, flexibility, control, security and extensibility
Go back & look at the “Right For the Cloud?” criteria
REGARDLESS of the model, you are still responsible for some element of security
© 2010 Cisco Systems, Inc. All rights reserved. 39
References
Cloud Computing Google Groups:Cloud Computinghttp://groups.google.com/group/cloud-computingCloud Computing Interoperability Forumhttp://groups.google.com/group/cloudforumCloud Storagehttp://groups.google.com/group/cloudstorage
• Read Craig Balding’s Blog http://www.cloudsecurity.org
• Read Christofer Hoff’s Blog: http://www.rationalsurvivability.com
• Join the Cloud Security Alliance & CloudAudit...