C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-694080-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Javier Liendo, CSE Security [email protected] Mexico City May 15th, 2012
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Cloud Security – What’s changed?
• Cloud Threats – What are new threats specific to cloud?
• Cisco Cloud Security
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
1. Cloud Software as a Service (SaaS) Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other
fundamental computing resources
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Private cloud Enterprise owned or leased, may reside on or off premise
Community cloud Shared infrastructure for specific community with common concerns/goals
Public cloud Sold to the public, mega-scale infrastructure
Hybrid cloud Composition of two or more clouds
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cisco Confidential 6
Network
IT is in control Shared control “They” are in control
Network Network Network
Private Cloud (Iaas)
Hosted/Private Virtual Cloud
(IaaS) Public Cloud
(IaaS) Public Cloud
(SaaS)
Storage Storage Storage Storage
Server Server Server Server
VM VM VM VM
App App App App
Data Data Data Data
Security
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Old New
Protect the Perimeter Protect the Data (and Application)
Protect the Hypervisor
Place it in the right security zone
VMs in motion need to move with
‘attached’ security policy
Zones are static Zones are dynamic and on the move!
Machine to machine traffic can be seen on ‘the wire’
Virtualization means machine to
machine traffic never leaves the host
Trust the ‘insider’ Pervasive Distrust
Dedicated is secure Any shared resources need security
scrutiny
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Economics
Agility
Experience
Security
Cisco Confidential 8
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Cisco Confidential 9
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers Customers Partners
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Cisco Confidential 10
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
Shop Customers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a Service X
as a Service Software
as a Service
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Cisco Confidential 11
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
Shop Customers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a Service X
as a Service Software
as a Service
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Cloud Customer
Private Cloud
Public Cloud
1
2
VDC1
VDC2
vPC
Internet
• Threat defense • Secure multitenancy • Secure communications
• Policy management • Access control • Threat defense • DLP
3
• Secure multitenancy • Separation of duties • Data protection
IPsec/SSL
Campus
IPsec/SSL
Cisco VSG
Cisco ASA
5585-X
Cisco UCS™
Virtualization Hypervisor
Cisco AnyConnect™
Cisco ASA 1000V
VMs
Active Directory
Cisco Identity Services Engine
Cisco IronPort® Email
Cisco® ScanSafe Web Security
Cisco Security Intelligence Operations (SIO)
Cisco TrustSec®
Cisco VXI
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Cisco ScanSafe Web Security and Filtering
• Cisco IronPort® Cloud, Managed, and Hybrid Email Security
• Cisco SIO
• Cisco ASA 5585; ASA SM; ASA1000V
• Cisco Nexus® 1000V switch
• Cisco Virtual Security Gateway
• Secure Cloud Discovery Service
• Security PDI
• IT-GRC Services
Secure Cloud Infrastructure
Cloud Security as a Service
Related AS Security
Services • Secure SaaS access
• Cisco AnyConnect™
• Cisco TrustSec®
• Cisco Identity Services Engine
• VPN
Secure Cloud Access
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Cloud Security – What’s changed?
• Cloud Threats – What are new threats specific to cloud?
• Cisco Cloud Security
C97-694080-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Thank you. Thank you.
Top Related