Trust: A Cloudy Concept Infrastructure Security in The Cloud

1
Trust A Cloudy ConceptInfrastructure Security
in The Cloud

• Kartik Shahani
• Country Manager - India SAARC
• RSA, The Security Division of EMC

2
Agenda

• Stages in the Journey to the Cloud
• Security Concerns
• Trust and Risks
• Challenges
• RSA Position to Secure Could Infrastructure
• Case Scenario
• Summary

3
Cloud Computing
Delivering on-demand access to shared pools of
data, applications, and hardware Efficient
Flexible Convenient Cost-effective
PrivateCloud
Virtualized Data Center
Internal cloud
External cloud
4
Stages in the Journey to the Cloud
5
51
Security is the greatest concern surrounding
cloud computing adoption.

• Gain visibility
• Maintain control
• Prove compliance

6
Trusted Zones for the Cloud
Attackers
Information
Information
Virtual Infrastructure
Virtual Infrastructure
Identity
Identity
Physical Infrastructure
Cloud Provider
Tenant 1
Tenant 2
7
Trusted Zones Key Capabilities
Isolate infrastructure from Malware, Trojans and
cybercriminals
Anti-malware
Federate identities with public clouds
Identity federation
Cybercrime intelligence
Strong authentication
Tenant 2
Virtual Infrastructure
Isolate information among tenants
Control and isolateVM
Virtual infrastructure security
Data loss prevention
Tenant 1
Virtual Infrastructure
Isolate information from cloud providers
employees
Segregate and control user access
Encryption key mgmt
Access Mgmt
Tokenization
Physical Infrastructure
Governance, Risk, and Compliance
Security Info. Event Mgmt
Enable end to end view of security events and
compliance across infrastructures
8
Security Concerns

• Today, cloud environments mainly host
  non-sensitive data due to security concerns.
• If cloud computing is going to meet enterprise
  needs for confidentiality of customer data and
  compliance with legal directives, it will have to
  provide increased levels of security to support
  more sensitive enterprise applications.

9
The Risk of Cloud Computing

• When organizations move their data into the
  public cloud, new stake holders are introduced in
  the form of third party service providers,
  vendors, and contractors
• This loosens the controls IT has on data security

10
Challenges of Cloud Computing

• Control Organizations will face reduced control
  of their data as more responsibility will shift
  to third parties.
• Regulation Regulations govern the way data must
  be protected in many industries, meaning the
  cloud must have proper controls
• Interoperability Todays clouds must be able to
  communicate with each other and offer data
  portability

• Convenience Those using the cloud want both
  convenient access and secure data protection,
  creating a difficult balancing act.
• Reporting To meet many of todays regulations,
  the ability to report where data is and how it is
  protected will be essential.
• Data Transfer Business must find a way to
  transfer data into the cloud in a way that is
  both safe and cost effective.

11
RSA Protection in Action
1 Billion Applications shipped with BSAFE
Encryption
25 Year legacy in information security
200 Million Identities protected
34,000 Organizations protected
120,000 Phishing attacks shut down
Embedded in Microsoft, HP, Sun and IBM operating
systems, Internet Explorer and Netscape
browsers, Ericsson, Nokia, Motorola phones,
major US government agencies and the list goes on
12
Virtualization Enables More Effective Security
by Pushing Enforcement Down the Stack
Today most security is enforced by the OS and
application stack making it ineffective,
inconsistent and complex

• Pushing information security enforcement in the
  virtualization and cloud infrastructure ensures
  consistency, simplifies security management and
  enables customers to surpass the levels of
  security possible in todays physical
  infrastructures

Physical infrastructure
13
VMware vShield Zones and RSA DLP Building a
Content-Aware Trusted Zone
Virtual Infrastructure

• Overview
• VMware vShield Zones provides isolation between
  groups of VMs in the virtual infrastructure
• Leverages the capabilities of vShield Zones to
  deploy DLP as a virtual application monitoring
  data traversing virtual networks
• Uses a centrally managed policies and enforcement
  controls to prevent data loss in the virtual
  datacenter
• Customer Benefits
• Pervasive protection
• Persistent protection
• Improved scalability

VMware vShield zones
DLP
DLP
DLP
DLP
VMware VSphere
Physical Infrastructure
14
Cloud Infrastructure The Next Frontier of Cloud
Security and Compliance
15
Problem Statement of Tenant

• When using the cloud, a tenant is not in
  physical control of their infrastructure. How do
  they
• Gain visibility into the Clouds IaaS?
• Assess the actual security posture of the IaaS?
• Trust those measurements of security?
• Prove to auditors that the infrastructure they
  are running on is compliant?

16
Cloud Compliance Use Case

• A tenant wants to run a business critical
  application in the cloud
• Their requirements
• Follow best security practices VMware hardening
  guidelines
• Pass a PCI audit (they hold credit card data)
• Be assured that they are booting from a secure
  root of trust (protection from inserted root kit
  and blue pill attacks)

17
RSA, VMware, and Intels Vision for Trusted
Cloud Computing Infrastructure

• Advanced development proof of concept
• Framework for measured, trusted cloud computing
  environment
• Bottoms up automated security assessment
• Leverages technologies from EMC (RSA and Archer),
  VMware and Intel
• Allows Cloud Service Provider to report on
  configuration of virtual infrastructure used by
  customer VMs
• Ties to a verifiable measurement of trust in the
  hardware and hypervisor

18
Cloud Compliance Architecture
19
Archer GRC Platform and Dashboard
20
Benefits

• Tenants
• Fast, accurate and efficient auditing and
  compliance process
• Granular view of cloud providers performance
  against SLAs
• Customized, flexible provisioning of trusted
  computing services
• Finer grained policy control

• Service Providers
• Differentiated service offerings
• Fast, accurate and efficient customer compliance
  audits
• Automated, scalable process for on-board audits

21
RSA Capabilities

• Understand risks
• RSA Virtual Security Assessment Service
• Secure virtual environments
• SecurID
• Integration with vSphere administrator access
• Integration with VMware view user desktop access
• Authentication Manager 6.1 and 7.1 supported when
  run as virtual applications on VMware
• RSA Key Manager
• Encryption client will integrate with
  applications virtualized by VMware
• enVision Event Manager
• Supports vSphere as an event source
• EMC Proven Solution for Secure Exchange
• RSA SecurID, DLP and enVision used to secure a
  virtualized Exchange infrastructure
• Leverage virtual infrastructure increase
  security
• Data Loss Prevention
• Integration with DLP and VMware vShield Zones
• Enable secure cloud computing
• RSA Access Manager RSA Key Manager to secure
  access and data in the cloud
• Adaptive Authentication available as a cloud
  security service

22
Next Steps in Shared Vision

• Solutions offerings
• Work with service providers to embed in cloud
  platforms
• IaaS, PaaS, SaaS
• Cloud platforms
• Embedding security in the virtualized
  infrastructure
• GRC automated IT control assessments
• VCE / vBlock Network, storage
• Federation, cyber-intelligence, access
  management, encryption
• Patch, vulnerability, configuration management

23
For Terremark, demonstrating compliance on
shared, virtualized platforms has been a manual,
complex, and labor-intensive set of activities.
As a VMware Vcloud partner, when we can easily
prove compliance, security and control on
multi-tenant, virtualized infrastructure, it will
be incredibly compelling to our customers and our
own business. Chris Day, Chief
Security Architect, Terremark Worldwide
24
Thank you!
25
Guidance for Ensuring Security In the Cloud
P
Harden all hypervisors Set clear policies for
co-residency and be equipped to enforce
them Evaluate whether cloud vendors can deliver
on their promise Assess cloud providers methods
to attesting to infrastructure security Look for
automated dashboard services for monitoring and
compliance
P
P
P
P
26
Cloud Security Essentials Identity Security

• Requirements

• Customer Questions

• Technical Questions Who Are My Neighbors?
• Are there controls in terms of who else is using
  this cloud infrastructure?
• Will my data be segregated so that others cannot
  access it?
• Is there strong identity management both for
  customers and for employees?

• Support of identity management tools for both
  users and infrastructure components
• Strong authentication that goes beyond a simple
  username and password
• Granular authorization such as role-based
  controls and IRM

Process/Policy Questions Is there good discipline
over separation of data, processes and
infrastructure?
27
Cloud Essentials Information Security

• Customer Questions

• Requirements

• Technical Questions Information Sensitivity
• What information will be going to the cloud?
• Are there privacy or confidentiality issues?
• Are there different levels of protection
  available for sensitive data?
• Information Mobility
• Where physically will the information be? Are
  there legal/sovereignty issues?
• Can I be sure I get it all back and all copies
  are permanently deleted if I stop using the
  cloud vendor or infrastructure?

• Policy-based content protection
• Granular data security and enforcement
• Effective data classification
• Information rights management
• Data isolation
• Resource lifecycle management

Process/Policy Questions Will the cloud vendor
outsource any of its functions? Can I control
that?
28
Cloud Essentials Infrastructure Security

• Requirements

• Customer Questions

• Appropriate controls, log collection, and
  reporting to assure compliance with regulations
• Inherent component-level security
• Granular interface security at data hand off
  points

• Technical questions Transparency,
  Accountability, Trust
• Can I meet audit and compliance requirements for
  the information or business process?
• Can I gain visibility into whether security
  controls, and other best practices, are being
  deployed?

Process/Policy Questions Can I get insight into
hiring and training practices regarding privacy
and security? Can I trust the cloud service
provider?
29
RSA Positioning

• RSAs Position
• With the right approach, organization can extend
  virtual technologies into environments with
  sensitive data and ultimately increase security
• RSAs Approach
• An information-centric, risk-based approach
  security designed to help organizations
• Understand risks
• Secure virtual environments virtualize security
  controls
• Leverage virtual infrastructure
• Enable secure cloud computing
• The Customer Benefit
• Accelerate the proliferation of virtualization
  and increase security