Don’t Forget Your Security
Umbrella in the Cloud
Copyright 2009 Trend Micro Inc.
Why the cloud matters?
Speed and Business Impact
Expertise and Performance
Massive Cost Reduction
1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious an enterprise-wide cloud strategy, then by year-end the odds are good you'll
no longer be a CIO.
Stage 1
Consolidation
Stage 2
Biz Applications & Desktop
Stage 3
IaaS + Public Cloud
15% 30% 70% 85% Servers Desktops
Cost-efficiency + Quality of Service + Business Agility
The Evolving Datacenter
Copyright 2009 Trend Micro Inc.
Substance Emerging From Cloud Hype
Cloud Computing Reduces Costs, Increases Agility
Pharmaceutical R&D and The Cloud
“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific collaboration and computations … because they empower many subsets of users.”
SearchCIO.com, 30 July 2009
Public Cloud for Backup & Storage
Using public cloud services, GE reduced backup costs by 40% to 60%,
created reusable processes in a rapidly deployable model.
Matt Merchant, General Electric (December 2009)
Top 10 Strategic Technologies in 2010
“Cloud Computing. Organizations should think about how to approach the cloud in terms of
using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009
Cloud Computing & Security
“CISOs and Security Architects: Don't let operations-led projects lower your security profile.
Spending In Cloud Computing
•
IDC Predicts IT spending on cloud to
Copyright 2009 Trend Micro Inc.
Classification 8/13/2010 5
Agenda | Datacenter & Cloud Security Vision
The Cloud Computing Evolution
Security Challenges in the Cloud
Cloud Computing Compromises
Salesforce.com security breached.
Repeatedly
hacked
(Washington Post)
Amazon EC2 customer Bitbucket taken
offline by Distributed Denial of Service
attack (The Register)
Oct 2009:
Google Gmail
hacked
by attacks
originating in China
(Financial Times)
Jan 2010:
Oct 2007:
Copyright 2009 Trend Micro Inc.
Source: IDC eXchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009
“The #1 concern about
cloud services is
security
.”
Problem #1:
“Outside-in” approach and rapid virtualization have
created less secure application environments
Through 2012, 60% of virtualized servers will be less secure than
the physical servers they replace.
Copyright 2009 Trend Micro Inc.
Virtualization & Cloud Computing
Create New Security Challenges
9
Hypervisor
Inter-VM
attacks
PCI
VM
Mobility Cloud Computing
“Inside-Out” Model
PHYSICAL
VIRTUAL
CLOUD
Deep Packet Inspection
IDS / IPS Web App. Protection Application Control Malware Protection Integrity Monitoring Log Inspection
Server & application protection for:
Copyright 2010 Trend Micro Inc. • Optimized protection • Operational efficiency
Security virtual
appliance
Efficiency ManageabilityTrend Micro Deep Security:
Consolidation
of ITBusiness Production
IaaS + Public Cloud
Data destruction
Diminished perimeter
Resource Contention Multi-tenancy
Data access & governance
Compliance / Lack of audit trail
Mixed trust level VMs Data confidentiality & integrity
2 3 4 5 6 7 8 9 10 11 12
Security Challenges Along the Virtualization Journey
Inter-VM attacks Instant-on gaps
Host controls under-deployed Resource Contention
Mixed trust level VMs
Instant-on gaps 4 5 6
Copyright 2009 Trend Micro Inc. 13
Problem #2
Data protection is the most pressing concern, but
data is mobile, distributed and unprotected.
Amazon Web Services™ Customer Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that
we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you
acknowledge that
you bear sole responsibility for adequate security,
protection and backup of Your Content and Applications
. We strongly
encourage you, where available and appropriate, to (a)
use encryption
technology to protect Your Content from unauthorized access
, (b) routinely
archive Your Content, and (c) keep your Applications or any software that you
use or run with our Services current with the latest security patches or updates.
We will have no liability to you for any unauthorized access or use, corruption,
deletion, destruction or loss of any of Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
Copyright 2009 Trend Micro Inc.
Who Has Control?
Servers
Virtualization &
Private Cloud
Public Cloud
PaaS
Public Cloud
IaaS
End-User (Enterprise)
Service Provider
Public Cloud
SaaS
15
Challenge of Securing Data
Perimeter
Cloud
Datacenter
Strong perimeter security
No shared CPU
No shared network
No shared storage
Weak perimeter security
Shared CPU
Shared network
Shared storage
Traditional “outside-in” approach is inadequate in an
Copyright 2009 Trend Micro Inc.
Enterprise Controlled Data Protection
for the Cloud
17
Patent pending Trend Micro technology enables
enterprises to retain control of data in the cloud
Consolidation
of ITBusiness Production
ITaaS
Data destruction
Diminished perimeter
Resource Contention Multi-tenancy
Data access & governance
Compliance / Lack of audit trail
Mixed trust level VMs Data confidentiality & integrity
2 3 4 5 6 7 8 9 10 11 12
Security Challenges Along the Virtualization Journey
VMware and Trend Micro help customers address these issues, and accelerate the journey
Inter-VM attacks Instant-on gaps
Host controls under-deployed
Data destruction 12
Multi-tenancy 11 Diminished perimeter
Data access & governance
10 9
Copyright 2009 Trend Micro Inc.
Key Take-Away for Cloud Security
Trend Micro Confidential8/13/2010 19
Traditional security model for the physical
environment will
NOT
work in a virtualized one.
1
Cloud service providers will
NOT
guarantee
confidentiality and integrity of your data.
Agenda | Datacenter & Cloud Security Vision
The Cloud Computing Evolution
Security Challenges in the Cloud
Copyright 2009 Trend Micro Inc.
Trend Micro Customer Successes
Virtualization and Cloud Computing
Workstream
Enabled business scalability while maintaining security as a differentiator
Secure HR applications and data for the Fortune 100
• 24X7 SAS-70 & SOX compliant HR services center
• Deep Security enabled a massive virtualization program; Reduced 600 servers to 20
Premier provider of talent management
solutions
Beth Israel Deaconess
Enabled access to cutting-edge health care applications and data
Secure On-Demand Electronic Health Record Solution
• Private external cloud delivers SaaS EHR applications and data for network of 300 physicians across 173 locations
• Trend-setter for provider-sponsored EHR/HIPAA initiatives
• Deep Security – “our most important security layer”
The teaching hospital and network of a major
Trend Micro Customer Successes
Virtualization and Cloud Computing
Leading Australian Bank
Enabled IT operations team to comply with corporate IT security standards
Secure Virtualized Banking Datacenter
• 400+ branches with 90% virtualization
• Experienced AV-storm.
• IT operation-led project continued w/o lowering security profile.
Leading financial institution providing retail,
business, and wealth management services.
Australian Government
Enabled advancement of datacenter virtualization to meet Gershon Review.
Secure Informed Decision-Making and Research
• One of the most virtualized government entities in Australia
• 96% of the datacenter virtualized.
• Protect inter-VM traffic and audit system changes within VMs.
One of the most virtualized government
Copyright 2009 Trend Micro Inc.