Secure Cloud Computing

(1)

(2)

Agenda

 Current Security Threat Landscape

 Over View: Cloud Security

 Overall Objective of Cloud Security

 Cloud Security Challenges/Concerns

 Cloud Security Requirements

 Strategy for Securing Cloud Infrastructure & Services

 Approach & Methodology for Securing Cloud Infrastructure & Services

 Government laws regarding data security and controls

(3)

Advanced Targeted Attack Life Cycle

2 Theft Espionage Sabotage Criminal

High Value Data Key Systems Exploit Weakness

Stealthy

After the Fact

Expensive Public Uncertainty CONTAINMENT ATTACK COMPROMISE DISCOVERY Replacement Process Preparation

(4)

Security-Related TCO Is Skyrocketing

4

Multiple products

operate in separate

functional silos

Constantly rising costs of

operational security

No efficiency, no

effectiveness

Stale defenses lack

adaptive,

context-aware capabilities

(5)

Targeted attacks against Point-of-Sale (POS) systems Memory parsing/scraping malware

Extracts full magnetic stripe data out of memory Not detected by traditional A/V

Not detected for a significant amount of time

Substantial damage –million credit cards where ex-filtrated in the TARGET compromise

Containment took long (VISA)

Recent Notable Advanced Targeted Attacks

(6)

(7)

Evolution of the Datacenter

Discrete Datacenter

Consolidation

Discrete Networks

Compute Storage Network Management Traditional Security - Policies tied to physical attributes Virtualized Datacenter

Flexible

Management

10G Unified

Network

Unified Network Servers Storage Arrays Mgmt VM VM VM VM Virtualized Security - Context aware policies Cloud Datacenter

Efficient and Secure Open Architecture Simplified Network

Cloud Infrastructure

Network Storage Compute Security

Datacenter Facilities

(e.g. cooling, power)

(8)

Cloud Enabler-Virtualization

Virtualization = New platform for

greater flexibility

Flexibility & Scalability

 Rapid deployment of Servers & Desktops

based on standard built

 Heterogeneous OS & Application

environment running on one single HW

Virtualization changes the definition of

an endpoint

 Virtualized systems are no longer

systems, they become data

(9)

Few Days

The Business Need for a New Model –

Reduce Costs, Improve Agility

(10)

Few Days

Reduce Costs, Improve Agility…

for all Datacenter Security and Services

(11)

Virtual Datacenter – Cloud Infrastructure

Datacenter spans physical, virtual and cloud deployments

Workloads

Data

Infrastructure

Compute Storage Network

Manage

• Dashboard • Policies • Workflows • Compliance

SaaS

PaaS

IaaS

Applications

Essential Characteristics

(12)

Overall Objective of Cloud Security: Transparency

12

Transparency

Confidence



Secure cloud

infrastructure- Physical &

Virtual



Delivering Secure Cloud

Services



Providers should

implement current & future

cloud Standards &

Certifications



Automation of auditing &

(13)

Cloud Security Challenges/Concerns

• Data and Identity Centric Controls in Cloud are hard

– Dynamic perimeter based on data access and service requirements vs. logical network separation

– How do provision (and de-provision) identify + authorization across a network of providers

– Data Leakage threats from Cloud Infrastructure – Database Compromises from Cloud Infrastructure • High Availability and Performance requirements

– Virtual infrastructure makes traditional security solutions difficult on both network

• Lack of Visibility in Inter-VM traffic • Content security

– Advanced Persistent Threats (e.g. Stuxnet, Operation Aurora, Operation Shady RAT etc.)

– Security controls need to understand the legacy and next generation message exchange protocols

– Anti-malware protection across large volumes of data must be optimized – Protect access to critical data resources from multiple threat vectors

(14)

• Dynamic Risk Assessment

– Enterprise framework that support Machine to Machine data collection for continuous monitoring

– Comprehensive assessment for vulnerability, behavior, configuration and impact

– Real-time discovery capability for assets, applications and data

• Threat-Based Defense

– Defend the key attack vectors and priority targets based on intelligence

– Automated assessments with countermeasure awareness – No impact to availability or performance of critical systems – Handling APT Attacks

• Monitoring across several domains

– Integration of IT risk data or events with cyber physical data for impact decisions & higher level decision support systems

– Handling Big Security Data

(15)

Strategy for Secure

(16)

• Secure the Physical and Virtual Datacenter Architecture

– Defend the whole of the datacenter from infrastructure to application and across all threat vectors

– Enable comprehensive readiness assessment for web

applications, databases and systems

– Provide continuous monitoring, rapid data retrieval and analysis for incident response

– Application access through API Calls

• Secure the Cloud Provider

– Protect data and identity services in the provider datacenter – Secure Software-as-a-Service providers with Cloud Security

Platform

• Enable Secure Use of Cloud Services

– Understand messaging protocols to ease integration of legacy systems and provide data loss protection

– Identity management provided by Cloud Based Identity Management solution

(17)

(18)

Cloud Security Components for VDC

Unified Management SIEM

Server Security

• Memory Protection • Application Whitelisting • Change Control • Hardware Assisted Security

Security Monitoring and

Management

• Datacenter Asset Inventory with Security Overlay

• Risk Based Event/Log Correlation • Local Threat Intelligence

G T I

Secure Data in Motion

• Content & Context Visibility • Virtualized Network

Protection

Secure Data at Rest

• Encryption & Database Security • Securing data at Storage

Virtualized Platform

• Hypervisor Security

• Resource Optimization through Offloading

• Agent-less Security through

Integration with VMM

Virtual Network Security

• Advanced Evasion Prevention • Virtual Intrusion Prevention

(19)

McAfee Confidential—Internal Use Only

Unified Management

_{• Unified Management Across Physical}

Virtual and Cloud

– Access from anywhere via web-based UI

• Highly Extensible

– Leverage partner ecosystem

– APIs to adapt to changing market and business

requirements

• End-to-end Visibility and Control

– Insight into policies and compliance posture across

applications, endpoints, servers and networks

– SIEM for situational and context awareness

Open APIs

Automated Compliance Auditing (Policy Auditor/ Vulnerability Manager) Partner Ecosystem

Management

(Unified Command Center)

Alerts Notifications Reporting SLAs

Regulations Frameworks Standards

SOX ISO 27001 PCI DSS

HIPAA COBIT CIS

GLBA NIST NIST

FISMA DISA STIGS

FDCC

(20)

.

Global Threat and Vulnerability Intelligence

(21)

Scalable Architecture

Cloud Based Unified Security Management Platform

Log Management

Traditional Context

Content Aware

Dynamic Context

Visualize, Investigate, Respond

GLOBAL THREAT LANDSCAPE ENTERPRISE RISK LANDSCAPE

ePolicy Orchestrator Risk

Advisor

Advanced Correlation Engine

Big Security Data DB High Speed Intelligent Correlation Applications Database

OPTIMIZED

• See log frequencies • Search for logs • Correlate events

• What data is involved?

• Who is doing it? • Are they

a bad actor?

• What is the risk of the system?

• What is the risk of the user?

• Threat intelligence feed • Immediate alerting • Historical Analysis

(22)

(23)

Email Authentication Web

Data Loss Data Loss

Intrusion Intrusion Enterprise Mobile Users Enterprise Users Private Cloud Applications Partners Cloud Vendors Applications Customers Cloud

(24)

Email Authentication Web Enterprise Mobile Users Enterprise Users Private Cloud Applications

Cloud Security Platform Global Threat Intelligence

Unified Management, Policy and Reporting, Integration Partners Cloud Vendors Applications Customers Cloud Ecosystem M o d u le s S a a S o r A p p lia n ce

Identity Management Services API Gateway

Web Security Data Loss Prevention Email Security

(25)

ID Infrastructure Integration

AD & IAM

Lack of Visibility Multiple Logins / Weak Security

Scalable, Federated Trust Manual Provisioning

Single Sign On (SSO)

& Strong

Authentication

Centralized

Management

Console

Standards Based

AuthN & Provisioning

Connectors

Cloud Access Challenges-Identity Management

Auto Account

Provisioning & Profile

Sync

Audit Silos

(26)

• Rich audit trail of user login showing AuthN level • De-provision and orphan

account reports

Regulatory Compliance

• Federate windows/ AD login

• To popular SaaS like

Salesforce and Google Apps

Secure SSO

• Selectively apply 2nd

factor OTP AuthN

• Variety of software AuthN methods and devices- mobile devices, SMS, email

Adaptive Strong Auth

• Provision/de-provision user accounts

• AD integration • Sync Id Profiles

Provision Access

Identity Management with Strong Authentication

(27)

Deployment “to the cloud”

Old Enterprise Perimeter

User Browser

Dynamic Perimeter

SSO Request

1. Account Provisioning

Portal / Apps _{Service API} Calls Internal Session IdM or Active Directory 2. Browser Federation/SSO Account Provision Provisioning Policy Cloud SSO

Bring secured, monitored cloud endpoints under enterprise IT control

Custom Apps Cloud Identity

(28)

Old Enterprise Perimeter User Browser Dynamic Perimeter Mgt Console Portal / Apps IdM or Active Directory Audit Repository

3. Step up OTP Strong Auth

Custom Apps OTP

Strong Auth

4. Central Monitoring, Audit, Privacy Settings

Cloud SSO Cloud SSO

Bring secured, monitored cloud endpoints under enterprise IT control

Deployment “to the cloud”

(29)

(30)

Diverse Apps are Exposed as “Services & APIs” to Consumers

Services

Abstraction Pattern

App Types

(31)

Enterprise

Cloud

Provider

APIs are everywhere

Cloud

Provider

Applications move off premise

• Fast Changing Cloud APIs

Leverage third-party services

• API Shielding

API

(32)

Enterprise

Cloud

Provider

A Service Gateway Broker Model Makes a lot of sense

Cloud

Provider

APIs can be exposed, consumed, and proxied to a Service Gateway to offload security & communicate with back end infrastructure vs point to point integration

(33)

(34)

S

OURC

E

Data Loss Prevention

A NA L Y Z E E V A L UA T E P RO T E CT Move Educate

Encrypt Block Monitor

DLP Prevent: Enforcement Policy

Application

At Rest In Use In Motion

Policy Intelligence DLP Discover:

Find and Inspect DLP Monitor: _Capture

(35)

Email Protection In Cloud

Unified Policies &Quarantines Delivery Platforms Simplified Cost Model Business Continuity Mobile Devices Layered Protection

Email Protection

(Maximized scalability and security) (Appliance, Virtual Appliance, SaaS, Blade Server, and

Hybrid)

(36)

Web Protection In Cloud

Common Policy Delivery Platforms Pricing Consistency Common Reporting Mobile Workers & Devices Security Services (Appliance, Virtual Appliance, SaaS, Blade Server)

(Web Filtering, Gateway Anti-malware, GTI, DLP, SSL, App Control)

(37)

Summary: Key Attributes of Secure Cloud Services

Easier to Manage

• Consolidated solution

• Centralized reporting through Unified Management • Open platform to integrate existing solutions

More Flexibility

• Modular based

• On-premise, SaaS or virtual

• Protect headquarters, remote offices and mobile users

Greater Protection

• Creates secure bridge covering primary Cloud traffic channels

• Consistent protection & policies across web, identity & email

• Real-time protection via Global Threat Intelligence

Email Authentication Web

Enterprise Mobile Users Enterprise Users Private Cloud Applications Cloud Security Platform

Global Threat Intelligence Partners Cloud Vendors Applications Customers Cloud Ecosystem M o d u le s S a a S o r A p p lia n ce

(38)

Government laws regarding data security and controls

38