Don t Forget Your Security Umbrella in the Cloud

(1)

Don’t Forget Your Security

Umbrella in the Cloud

(2)

Why the cloud matters?

Speed and Business Impact

Expertise and Performance

Massive Cost Reduction

1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious an enterprise-wide cloud strategy, then by year-end the odds are good you'll

no longer be a CIO.

(3)

Stage 1

Consolidation

Stage 2

Biz Applications & Desktop

Stage 3

IaaS + Public Cloud

15% 30% 70% 85% Servers Desktops

Cost-efficiency  + Quality of Service  + Business Agility 

The Evolving Datacenter

(4)

Substance Emerging From Cloud Hype

Cloud Computing Reduces Costs, Increases Agility

Pharmaceutical R&D and The Cloud

“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific collaboration and computations … because they empower many subsets of users.”

SearchCIO.com, 30 July 2009

Public Cloud for Backup & Storage

Using public cloud services, GE reduced backup costs by 40% to 60%,

created reusable processes in a rapidly deployable model.

Matt Merchant, General Electric (December 2009)

Top 10 Strategic Technologies in 2010

“Cloud Computing. Organizations should think about how to approach the cloud in terms of

using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009

Cloud Computing & Security

“CISOs and Security Architects: Don't let operations-led projects lower your security profile.

(5)

Spending In Cloud Computing

• IDC Predicts IT spending on cloud to

(6)

Classification 8/13/2010 5

Agenda | Datacenter & Cloud Security Vision

The Cloud Computing Evolution

Security Challenges in the Cloud

(7)

Cloud Computing Compromises

Salesforce.com security breached.

Repeatedly

hacked

(Washington Post)

Amazon EC2 customer Bitbucket taken

offline by Distributed Denial of Service

attack (The Register)

Oct 2009:

Google Gmail

hacked

by attacks

originating in China

(Financial Times)

Jan 2010:

Oct 2007:

(8)

Source: IDC eXchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009

“The #1 concern about

cloud services is

security

.”

(9)

Problem #1:

“Outside-in” approach and rapid virtualization have

created less secure application environments

Through 2012, 60% of virtualized servers will be less secure than

the physical servers they replace.

(10)

Virtualization & Cloud Computing

Create New Security Challenges

9

Hypervisor

Inter-VM

attacks

PCI

VM

Mobility Cloud Computing

(11)

“Inside-Out” Model

PHYSICAL

VIRTUAL

CLOUD

Deep Packet Inspection

IDS / IPS Web App. Protection Application Control Malware Protection Integrity Monitoring Log Inspection

Server & application protection for:

(12)

Security virtual

appliance

 Efficiency  Manageability

Trend Micro Deep Security:

(13)

Consolidation

of IT

Business Production

IaaS + Public Cloud

Data destruction

Diminished perimeter

Resource Contention Multi-tenancy

Data access & governance

Compliance / Lack of audit trail

Mixed trust level VMs Data confidentiality & integrity

2 3 4 5 6 7 8 9 10 11 12

Security Challenges Along the Virtualization Journey

Inter-VM attacks Instant-on gaps

Host controls under-deployed Resource Contention

Mixed trust level VMs

Instant-on gaps 4 5 6

(14)

Problem #2

Data protection is the most pressing concern, but

data is mobile, distributed and unprotected.

(15)

Amazon Web Services™ Customer Agreement

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that

we will be successful at doing so, given the nature of the Internet. Accordingly,

without limitation to Section 4.3 above and Section 11.5 below, you

acknowledge that

you bear sole responsibility for adequate security,

protection and backup of Your Content and Applications

. We strongly

encourage you, where available and appropriate, to (a)

use encryption

technology to protect Your Content from unauthorized access

, (b) routinely

archive Your Content, and (c) keep your Applications or any software that you

use or run with our Services current with the latest security patches or updates.

We will have no liability to you for any unauthorized access or use, corruption,

deletion, destruction or loss of any of Your Content or Applications.

http://aws.amazon.com/agreement/#7 (3 March 2010)

(16)

Who Has Control?

Servers

Virtualization &

Private Cloud

Public Cloud

PaaS

Public Cloud

IaaS

End-User (Enterprise)

Service Provider

Public Cloud

SaaS

15

(17)

Challenge of Securing Data

Perimeter

Cloud

Datacenter

Strong perimeter security

No shared CPU

No shared network

No shared storage

Weak perimeter security

Shared CPU

Shared network

Shared storage

Traditional “outside-in” approach is inadequate in an

(18)

Enterprise Controlled Data Protection

for the Cloud

17

Patent pending Trend Micro technology enables

enterprises to retain control of data in the cloud

(19)

Consolidation

of IT

Business Production

ITaaS

Data destruction

Diminished perimeter

Resource Contention Multi-tenancy

Compliance / Lack of audit trail

Mixed trust level VMs Data confidentiality & integrity

2 3 4 5 6 7 8 9 10 11 12

Security Challenges Along the Virtualization Journey

VMware and Trend Micro help customers address these issues, and accelerate the journey

Inter-VM attacks Instant-on gaps

Host controls under-deployed

Data destruction 12

Multi-tenancy ₁₁ Diminished perimeter

10 9

(20)

Key Take-Away for Cloud Security

Trend Micro Confidential8/13/2010 19

Traditional security model for the physical

environment will

NOT

work in a virtualized one.

1

Cloud service providers will

NOT

guarantee

confidentiality and integrity of your data.

(21)

Agenda | Datacenter & Cloud Security Vision

The Cloud Computing Evolution

Security Challenges in the Cloud

(22)

Trend Micro Customer Successes

Virtualization and Cloud Computing

Workstream

Enabled business scalability while maintaining security as a differentiator

Secure HR applications and data for the Fortune 100

• 24X7 SAS-70 & SOX compliant HR services center

• Deep Security enabled a massive virtualization program; Reduced 600 servers to 20

Premier provider of talent management

solutions

Beth Israel Deaconess

Enabled access to cutting-edge health care applications and data

Secure On-Demand Electronic Health Record Solution

• Private external cloud delivers SaaS EHR applications and data for network of 300 physicians across 173 locations

• Trend-setter for provider-sponsored EHR/HIPAA initiatives

• Deep Security – “our most important security layer”

The teaching hospital and network of a major

(23)

Trend Micro Customer Successes

Virtualization and Cloud Computing

Leading Australian Bank

Enabled IT operations team to comply with corporate IT security standards

Secure Virtualized Banking Datacenter

• 400+ branches with 90% virtualization

• Experienced AV-storm.

• IT operation-led project continued w/o lowering security profile.

Leading financial institution providing retail,

business, and wealth management services.

Australian Government

Enabled advancement of datacenter virtualization to meet Gershon Review.

Secure Informed Decision-Making and Research

• One of the most virtualized government entities in Australia

• 96% of the datacenter virtualized.

• Protect inter-VM traffic and audit system changes within VMs.

One of the most virtualized government

(24)

Trend Micro Security Enables The New Era

Control

Enterprise retains control of the data in the cloud

Business Power

Avoids lock-in & enables portability between cloud providers

Future Proof

(25)