Presented by:
Billy Cox– Director Cloud Computing Strategy, Intel
Blake Dournaee– Product Manager & Author- SOA Demystified, Intel
Projecting Enterprise Security Requirements on the Cloud
Case Study-
Cloud
Topic Agenda
• Enterprise Risk Factors & Criteria• What can Enterpise Control• Emerging Standards & Models• What Can be Done Today• Summary of Intel Cloud Capabilities
Enterprise Requirements
Potential Risk- Illustrated
Amazon Ec2
Basic Auth Enterprise Credentials Compromised For Access
Basic Auth Enterprise Credentials Compromised For Access
Enterprise VM ImagesEnterprise VM Images
Keys to the Castle
Potential Risk- Illustrated
Amazon Ec2
Rogue Image Trojan Injected Amongst Enterprise VMs
Rogue Image Trojan Injected Amongst Enterprise VMs
Potential Risk- Illustrated
Amazon Ec2
Virus replayed backin EnterpriseVirus replayed backin Enterprise
Data sent and lost tounknown sourceData sent and lost tounknown source
Enterprise Risks & Security Interests
Risk Enterprise Provider
Insecure, Porous APIs Major Risk Man in the middle, content threats, code injection, DoS attacks
Don’t care. API security converges along with market price
Logical Multi-Tenancy Unknown Risk Virtual machine attacks, malicious code, comingled data
Don’t care. Security of the multi-tenant architecture is a problem for [Insert Hypervisor Vendor Name] to solve. Oh, and trust us that your data is separate from your neighbor
Data Protection and Leakage
Major Risk Reduced confidentiality for private data stored in the clear at the cloud provider
Opposite incentive. Clear text data allows me to provide increased functions based on search
Data Loss and Reliability Major Risk Unavailability or loss of critical enterprise data
Care a little. Infrastructure reliability is guaranteed according to my SLA, plus you get a refund if we mess up ☺
Audit and Monitoring Major Risk Rogue uses of cloud services in Enterprise
Care a little. I will provide basic monitoring of infrastructure but the rest is up to you
Cloud Provider Insider Threats
Unknown Risk Mismatched security practices at CSP creates a weak link for attackers
Don’t care. We are secure enough. Just trust us.
Account Hacking, Access Control, and Authorization
Major Risk Coarse access control at CSP increases the value of a stolen account
Care a little. AAA mechanisms must be good enough to support my SaaS app. It’s your job to map to our way of handling identities.
Where does Control Lie?
Four of the seven risks are directly under the enterprise control• Insecure, Porous APIs • Data Protection and Leakage• Audit and Monitoring• Account Hacking, Access Control, and Authorization
Short of a boycott, the remaining 3 are largely out of control…• Logical Multi-Tenancy• Data Loss and Reliability• Cloud Provider Insider Threats
Enterprise
Provider
DMTF Cloud Standards
SNIA Cloud Standards
Cloud - Eucalyptus
Block Storage
Controller
Block Storage
ControllerBlock
StorageController
Block Storage
Controller
CachingProxy
CachingProxy
CloudController
CloudController
WalrusStorageService
WalrusStorageService
StorageServer
StorageServer
ClusterController
ClusterController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
ClusterController
ClusterController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
NodeController
PowerManagerPower
Manager
Cloud Client(consumer)
iSCSI
CustomerNetwork
Compute Clusters
Eucalyptus Cloud Infrastructure
Bulk Storage
Power Management
Cluster block storage and compute managers
RouterRouter
Lab Infrastructure
KA3
Slide 10
KA3 Fix box titlesKelly Anderson, 21/05/2010
Basic Model
Cloud Provider
Internal IdM
User Credentials& Policies
Security Profile
UDDI or ResourceWeb Service Request
User
IdM
Enterprise
Credentials& Policies
• Authentication token
• Customer access control policies
• Customer data protection policies
• Authentication token
• Customer access control policies
• Customer data protection policies
Cloud Access through a Broker
Cloud Service ProviderCloud Broker
User Credentials& Policies
SecurityProfile
UDDI or ResourceWeb
Service Request
User
IdM
EnterpriseCredentials& Policies
SecurityProfile
UDDI or Resource
BrokerCredentials& Policies
Broker Token
External IdMInternal IdM Internal IdM
BrokerCredentials& Policies
#1 – Broker as Management Entry Point
CloudProvider
IdentityReference
Request
Cloud Site 1
IdM
Enterprise Consumer
• Entry point for cloud management (not data, only mgmt)
• Single point of entry and validation for all sites and Cloud Consumers
• Consistent credentials validation
Cloud Mgr
Cloud Site 2
Cloud Site 3
Service Gateway
Cloud Provider 1User
DynamicPerimeterEnterprise
Consumer
UDDI or Resource
Private Cloud
User
UserCloud Provider 2
#2 –Broker as Outbound PEP
• Cloud customer accesses multiple clouds• Internal users don’t want to see that
complexity• Broker directs based in policy and converts
protocols as necessary• Secures provider access credentials
Public Cloud & SaaS
In VPDC, Service Gateway protects access to Services, maps credentials, enforces ABAC,
brokers protocols & formats
Dynamic Enterprise Perimeter
Private Cloud 2
Private Cloud 1
2. Virtualize, Load Balance, Firewall,
Generate SAML Token
Service Virtualization
3. SOAP, REST or JSON SAML Response
IdM , Active Directory, ABAC
Portal & CRM App
Enterprise
1. User AuthN/Auth-SOAP/REST, Kerberos, Basic Auth, Siteminder, X.509
Partner
Private Cloud Virtual Gateway Usage Model
API & Token Broker
Amazon EC2 Storage
Public Cloud
IdM or Active
Directory
4. Mapped to an AWSCredential in Requestfor Resource
5. Generate SAMLRequest with Requestfor Resource to Force
Manage, secure, hide Cloud brokering complexity. Convert formats. Provide access control
DynamicEnterprisePerimeter
3. Local Authentication
Force.com Apps
Public Cloud
1. Request with Credentials to Access a Resource
2. Locate Resource(s)
Portal or Web Service
Enterprise
UDDI or Resource
API & HSM
Private Cloud
CloudBurst Security Using Virtual Gateway
www.dynamicperimeter.com
This Intel paper brings new
detail to Cloud Security
Alliance best practices”
– Jim Reavis
Executive Director,
Cloud Security Alliance
More Information on Intel SOA Expressway & Cloud
Questions?
Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
Top Related