• No results found

Security & Cloud Services IAN KAYNE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security & Cloud Services IAN KAYNE"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Security & Cloud

Services

(2)

Cloud Components

Dynamically scalable infrastructure, services and software based on broad network

accessibility

NETWORK ACCESS

(3)

Cloud Components

NETWORK ACCESS INTERNAL ESTATE CLOUD SERVICES •Public •Private •Hybrid

•(Single & Multi Tenant)

•Private WAN

•Internet

•Hybrid

•User Devices, BYO

•IT Estate

(4)

Cloud Services

Managed Messaging Applications Web Services

Operating Systems Middleware Database

Compute Power Storage & Backup Networking

Abstraction of Environment - End User Application Provision

Abstraction of Infrastructure – Tool and Service Provision

Automated Scalability & Resilience – “Virtual Datacenter”

(5)

Virtualization

VMware ESX VMware ESX VMware ESXi

Resource Pool

Physical Servers

(6)
(7)

Virtualization

VMware ESXi VMware ESXi

Zone

Hypervisor Hypervisor

(8)

Virtualization Attack Vectors

•App level attacks (especially legacy apps)

•O/S level attacks

•Infrastructure attacks

•Hypervisor breakout – VENOM flaw (2015)

◦ Escalation from VM via flaw in legacy disk driver

•Remote DoS – VMWare ESXi Hypervisor (2012)

◦ No authentication/credentials required

◦ Breaks vSphere SOAP API

(9)

Cloud Attack Vectors

•All the Virtualization attack vectors, plus:

•Insecure web app design (OWASP top 10)

•API flaws

•Platform service flaws (middleware, databases

etc)

•Management systems flaws

•DoS (resource exhaustion)

•Access anywhere credentials theft

(10)
(11)

Cloud Provider - Security

•Standard security practices, OWASP top 10

•Customer / Environment isolation (zoning)

•Enhanced auditing

•Service & architecture based on customer need (eg:PCI)

•Security Info & Event Management

◦ Collation of monitoring data from multiple sources

◦ Agent / SNMP based

◦ Centralized storage & assessment

(12)

Cloud Customer - Considerations

Visibility

Network Reliance

• Regulatory compliance challenges

• Unknown risk profiles, “black box” service

• Loss of hands on control of valuable data

• Privacy – cloud provider has access to data

•Multi-tenant “interference”

•Enforced change to environment

• Inaccessibility on network or vendor outage (DDoS)

• Education

• Identity management “islands”

• BYOD

• Low data and service portability

(13)

Security Design Principles

•Cloud customers must protect both internal and cloud services – shared responsibility

•Defence in depth

•DMZ / Bastion / Perimeter security controls

•Least privilege

•Fail secure, fail closed, default deny

•Simplify (“economy of mechanism”)

•Avoid shared access mechanisms (“least common”)

(14)

More Security Design Principles

•Human Factor & “usable security”

•Password Policies

•People are often the weakest link

(15)

Data Classification

(16)

Data Classification

•Know the value of data

•Understand the impact of data aggregation

•Understand the impact of a security breach

•Understand data states:

◦ In Use – in memory (stack, heap)

◦ In Motion – in transit (network)

◦ At Rest – in storage (disk)

(17)

Encryption

•“Any encryption keys must exist as long as the encrypted data exists. And storing those keys becomes as important as storing the unencrypted data was. In a way, encryption

doesn't reduce the number of secrets that must be stored

securely; it just makes them much smaller.” - Bruce Schneier

•Data at rest - encryption plays a supporting role, keeps data confidentiality from cloud service provider, but you don’t attack the encryption

(18)

Convenience > Security

• Every website.

• Every web browser.

(19)

Encryption Keys

•“We suffered a security breach, but our confidential customer data was encrypted”

•How was the data used?

•Where were the keys stored?

(20)

Cloud Encryption Appliances

•Encryption happens “on premises” before transmission to cloud service

•Separates key storage from data at rest

•Requires two pronged attack to breach data

Plain text Encrypted

(21)

D

ata

L

oss

P

revention

•Proactive detection & prevention

•Network egress points

•“End point protection”

•Detects sensitive information in transit based on policy

(22)

Identity Access Management

•“…the security discipline that enables the right

individuals to access the right resources at the right times for the right reasons.” – Gartner

•Key to (regulatory) compliance

•Centralized control of data and app access was hard for internal IT

systems – local accounts, shadow IT

(23)

Federated SSO & SAML

•Provides single source of authentication and authorization to multiple service providers •Security Assertion Markup Language •Requires preset

(24)

Secure Architecture Design

•No “one size fits all”

•Dependent on customer need, cloud service (SaaS is different to IaaS)

•Dependent on risk profile & data classification

(25)

Architecture

(26)

Foundations

•Security is much more than just devices & config:

◦ Governance

◦ Policies

◦ Auditing

◦ Processes

◦ Design patterns

(27)
(28)

Thank you

Q&A

This document was created using the official VMware icon and diagram library. Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

References

Download now ( PDF - 28 Page - 8.31 MB )

Related documents

Preharvest foliar applications of glycine-betaine protects banana fruits from chilling injury during the postharvest stage

Soluble phenols (A) , specific activity of PPO (B) , and total soluble proteins (C) from banana fruit peels during 8 days after being harvested from fruits of the three

COLOR LCD SOUNDER MODEL FCV-582L

Water temperature* Speed* Noise Limiter Transducer frequency Alarm icon Active alarm Range scale Variable range marker (green) w/depth readout Depth Color bar Water temperature

Technology adoption and the role of government : examining the national information and communication technology policies in developing countries

Maynard: Technology Adoption and the Role of Government: Examining the National Information and Communication Technology Policies in Developing Countries.. (Under the direction

PERFORMANCE EVALUATION OF APPEARANCE AND GEOMETRY BASED ALGORITHMS FOR FACIAL FEATURE EXTRACTIONS

Face acquisition: Facial images of 175 students of Computer Science and Engineering, Department of Ladoke Akintola University of Technology, ogbomoso was used as a case. study with

THE Hv-MATRIX REPRESENTATIONS

Combining the uniting elements procedure with the enlarging theory we can obtain stricter structures or hyperstructures..

Connected Farm Software: Using the VarioDoc Account

Outbox To upload resources (Clients, Farms, Fields, Inputs, and A/B lines) to the VarioDoc servers via the Connected Farm software, click Resource List.. The resources remain in the

Insurance of Medical Personnel Professional Responsibility as a Form of Legal and Social Responsibility

Thus, also the attitude of private insurers in the treatment of moral damage compensation for patients is relatively modest and underdeveloped. 12 Cabinet of Ministers Normatives

THE SMALL-FOR-DATE INFANT. II. NEUROLOGICAL AND INTELLECTUAL SEQUELAE

Major neurological defects were un- common with an incidence of 1% for cerebral palsy and 6% for convulsions.. Minimal cerebral dysfunction characterized by hyperactivity, a