• Like

Cloud Security | GSF 2012 | Session 4-2

  • 888 views
Uploaded on

Paradigm shift in Cloud Security. Learn why you should be using it. …

Paradigm shift in Cloud Security. Learn why you should be using it.
The goal is to build a trusted enterprise and a SP cloud to enable seamless enterprise adoption.
By: Ravi Varanasi

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
888
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
29
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cloud Security Ravi Varanasi Technology Director, Cloud Security Office of CTO vravi@cisco.com 408-526-7468© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. Old New Protect the Data, App, Hypervisor Protect the Perimeter VMs should move with ‘attached’ Place it in the right security zone security policy Zones are dynamic and on the move Zones are static Virtualization challenges this. Machine to machine traffic can be seen on ‘the wire’ Trust the ‘insider’ Pervasive Distrust Shared resources with instantiations Dedicated Secure© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Role of network in Cloud Security Routes All Requests Sources All Data Handles All Devices Shapes All Streams Controls All Flows Sees All Traffic Touches All Users© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. A. Loss of control & visibility B. Disruption of service C. Information security D. Company data isolation E. Compliance© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. VDC DC-2 Private Cloud DC-Interconnect Use case-1: Private Cloud MPLS Enterprise Data Center Use case-3: Internet Connectivity to SaaS apps Branch Office Saas Apps Use case-2: Use case-4: Public/Hybrid Cloud Intelligent branch connectivity SP Virtual Private Cloud / Public Cloud© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Cisco Systems © 2011 Confidential 5
  • 6. Provider network Service Cloud WAN Opt build out Virtual platform on PE Or CPE PE Cloud Platform WAN Opt, QoS, FW, WAN Opt, IPS, Zone FW, Access VPN QoS, control, AppFW, Web Access Control Edge-FW, Security, WAN Opt Hosted DC, VDC, VPC NAC, Ent- Identity PE services, CPE services and current trends© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cisco Systems © 2011 Confidential 6
  • 7. Building Trusted Clouds: Tenets to focus on Trusted CloudDC Interconnect: Secure OTV, VPLS Hypervisor Security VM provisioning, Ease of config Secure connectivity @Unified I/O Data-in-flight security Network value-add inawareness SituationalAnyconnect, Thin client lock down in ID to SaaS Operational Security VM isolation Federated enforcement framework forVM Policy apps ID, Data-at-rest security Infrastructureaudits 70 Type II Management SAS VPATH to stitch VMs VDI/VXI Location based policiesaudit, security Data protection, Compliance reports DLP from SaaS apps CC, ENISA, CSA, NIST, FedRAMP, PCI, to application Extension of ID paramsVLAN, VRF based isolation at VPATH Admission control App-based controls Config vulnerability assessment HIPAA Web Application SecurityLocation extensions to ISE VNLink LISP, Audit trails Meta data, ID based location policies Physical inventory tracking© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. XaaS Security needs - FISMA act 2002 - NIST SP 800-53 SaaS - FIPS 199, 200 - Data Protection DB ops @SaaS provider to meet confidentiality, compliance, integrity, availability needs PaaS IaaS© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. Drivers for Cloud usage Secure OTV Location based Policy Traffic Shaping/SLA DC - Data-in-flight, at-rest security Data Center Interconnect Site-to-site VPN, FW OTV, LISP Consolidation Multi-tenant VM security Data-at-rest security I/O interconnect Persistent key storage NAS Visibility, monitoring data Storage copies, access logs Object- Consolidation Security while preserving oriented dedupe, replication etc.Movemen Block Ct to Cloud Server VM->VM security Consolidation FW, In-Mem-Forensics Virtualization Network richness in Hypervisor (Ex: VPath) L3-L7 based policy Desktop Multi-tenant w/HW ctrl Virtualization Integrated Hypervisor-independence Internet-of- thin-client things Thin-client lock-down Restricted local copy Context-aware VMotion Cloud Security© 2010 Cisco and/or its affiliates. All rights reserved. Network Value-addCisco Confidential 9
  • 10. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 10
  • 11. A. Loss of control & visibility B. Disruption of service C. Information security D. Company data isolation E. Compliance© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Security Market & Solution RequirementsGoal: Building trusted enterprise and SP clouds to enable seamless enterprise adoption 1. Secure connectivity of DC to Cloud, Cloud to Cloud, End-point to Cloud-app 2. Central control for: 1. Configuration of infrastructure elements 2. Policy: resource access, applications 3. Auto-provisioning of cloud security services with measurable consumption 4. Data-in-flight security: DLP, encryption (client to app, app to ‘infra’) 5. Data-at-rest security 6. Compliance with industry standards, customer standards, and regulations 7. Visibility: asset tracking, application/device/VM state, role-based audit trail 8. Secure the physical infrastructure (network, compute, storage, NOC) 9. Multi-tenancy: customer-centric resource and network isolation © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 13
  • 14. Private Cloud DC-Interconnect VDC VPN DC-2 termination (L2, L3) Mgmt VLAN/VRFControl . • DC-Interconnect, L2 network extensions: Solutions • Overlay transport virtualization: OTVFirewall • VxLAN, VLAN • Secure OTV traffic • FW for OTV traffic, Web App FirewallLoadBalancer • VM Provisioning & Mobility • Nexus 1000v, VPATH Web Application Database • Presence at L2 extension end-points • Virtual infrastructure services container • Extension of network services to VDC: vFW, vWAAS Storage • Zone+Edge FW Stora Storage Storage ge • Connect virtual and physical stacks Movement to private cloud VDI, VXI: Availability, DR, 802.1x, TrustSec 1. Web tier moves to VDC • Anyconnect client 2. App tier moves to VDC© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Cisco Systems © 2011 Confidential 14
  • 15. Private Cloud DC-Interconnect VDC Web Application Database Web App DC-2Enterprise Storage VPC Stora Stora Storage Storage Storage SP Virtual Private ge ge Cloud / Public Cloud • Scalable VPN • Extension of network services Branch Office • Cloud bursting of front-end web service • Bestbuy.com on Black Friday, IRS on April 15th • Work load migration to Public, Hybrid cloud • Expedia: Web front end to find an airline deal • Connectivity to enterprise controlled App and DB for actual ticketing • VMotion of Web tier for DR, availability © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Cisco Systems © 2011 Confidential 15
  • 16. • Customer Requirement Secure movement of vApps across cloud infrastructure Web vApp1 vApp2 Web• Solution: VXLAN VM VM Millions of dedicated LAN segments App App Security at Scale VM VM• VXLAN is network friendly DB DB V Efficient load sharing of links (port channel) M V M Supports NAT; better security controls Duplicate MAC & IP Addresses• Leverage multicast network for broadcast / unknown unicast traffic Submitted to IETF Submitted to IETF Support by Cisco, Vmware, Support by Cisco, Vmware, Nexus 1000V & vCD Nexus 1000V & vCD RedHat, Citrix, others… RedHat, Citrix, others… © 2010 Cisco and/or its affiliates. All rights reserved. VXLAN IETF Draft: http://datatracker.ietf.org/doc/draft-mahalingam-dutt-dcops-vxlan/ Cisco Confidential 16
  • 17. Use Case 2: Web/App tiers VPC: Cloud Security solutionsL2 extensions, segmentationCisco virtual router with security stack at VPC edge• Secure isolation within cloud provider’s network• Feature parity, similar network stack at Ent, Branch and VPCInformation security• Data-in-flight security: Location based, secure VM connectivity• Data-at-rest security: Cisco MDSMulti-tenancy• VPATH solution at Hypervisor level• Separation: VxLAN, VLAN seg, VRF; Isolation: VPC-edge firewall, access controlVirtual Firewall: Combined Zone + Edge firewall, XACML configurationCompliance needs: Visibility, Asset trackingLocation based controlsAdmission control, Centralized Identity and policy controlHypervisor agnostic stack: Enable movement between clouds© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Cisco Systems © 2011 Confidential 17
  • 18. The Network YesterdayThe Network TodayThe Network Tomorrow? VPC in Public Cloud? L2 Access Private LL, FR, ATM, CloudBranch Office ISR MetroE,… SP-Managed VPN DC Interconnect MPLS/ GET WAN OTV, IPSec L3 Access Service Edge ASA Easy/ DM Provider ASR 1k 5500Branch Office ISR VPN Network Internet Edge Internet Corp HQ/ Non-SP-Managed VPN Data Center IPSec, DM, SSL, .. AnyConnect (IPSec/ SSL)Home/ Remote User IPSec VPC Public Cloud © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 18
  • 19. Customer Customer/ Cloud Provider Managed SP Managed Managed Build/ Acquire Multi-tenant Cloud? Dedicated L2 Access .. ISRCustomer #1 MPLS VPN/ ASA Customer ASR 1k VPC GET VPN 5500 HQ/ DC #1 #1 Site-to-Site SP Network L3 Access Cloud ASR9k ISRCustomer #2 VPC #2 Remote L3 Access ASR 1k ASA 5500 Customer HQ/ DC #2Home/ Remote User © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 19
  • 20. L2 over WAN LISP protocol CSR 1000v Internet VPC Data Center LISP Tunnel LISP VM Mobility Router Enterprise Cloud Provider• L2 connectivity and L3 address mobility between DC and VPC• Transparent on-boarding of existing business applications to VPC• L2 over WAN • Addressing • Transport Services EoMPLS over GRE NAT/PAT LISP for VM Mobility VRF-Lite Multicast© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 21. ASR @ AVC Data AVC Center FW BGP BGP CSR CSR FW vWAAS CSR CSR @ ISR @ Cloud QoS VPN VPN QoS Branch NAT NAT Connectivity Traffic Redirection Integrated Services Cloud RAM .. VNMC OpenStack Cloud VNMC OpenStack Portal Portal 4GB/ 2Gbps 1GB/ REST/ XML 1Gbps CSR REST/ XML Throughput Programmable Manageability Licensing Elasticity© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 21
  • 22. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 22
  • 23. VS VS VS VS VM VM VM VM VM VM VM N N N N Nexus Nexus Nexus 1000V vPath 1000V vPath 1000V vPath VEM VEM VEM vSphere vSphere vSphere Proposal for VPath positioning: Importance & Strategy • Cisco’s network value-add in Hypervisor • VM VM stitching, security. Service chaining with SIA, SGT tags • Ensure multi-tenancy with connectivity to hardware • Local fast switching decisions for crypto, H-QoS, Regex lookups • Connect virtual and physical stacks • Enforce segmentation, Strategic Cisco’s network intelligence present in Hypervisor! - Controls data-in-flight, inter-VM traffic - Subjects VMotion to Geo-policies - Preserves network experience while connecting cloud deployments© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 23
  • 24. Virtual Router based on IOS-XE, runs on a virtualized server (e.g. UCS)• Phase 1: Virtual VPN Appliance - Site-to-Site VPN: DMVPN, Easy VPN, IPSec - Routing: BGP, EIGRP, OSPF, MPLS - Network Management: SNMP, Syslog - Access Control: ACL, AAA - Virtualization Platform: VMware vSphere - Basic Licensing: Static Capacity (Up to 150 Tunnels), Annual Subscription• Phase 1.1 - WAN Opt Support - Public Cloud Virtualization: Citrix Xen Support - More Manageability: VNMC/ LineSider Overdrive; OpenStack Integration - Advanced Licensing: Site Licensing - More IOS-XE Features: Flex VPN (includes IPv6 Support), AnyConnect (IPSec), L3 FW, HSRP• Phase 2 - More Security: GETVPN, L7 Firewall (K2 - Visibility, Web Security), AnyConnect (SSL) - More Networking: NAT, QoS, NetFlow, OTV, LISP - More Virtualization Platforms: Red Hat KVM, Microsoft Hyper-V© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 24
  • 25. VDC Enterprise Private Cloud DC-2 Data Center DC- Interconnect Branch Office Cloud Storage EMC, ATMOS, Amazon EC2, Storage Hadoop NAS, SAN, OBJ VPC/Public Cloud Customer demands, compliance needs for Cloud Security• All storage-bound data *must* be encrypted before it leaves campus edge, enterprise• All key material must remain within (or within complete control) of enterprise. Problem• Storage vendors apply efficiency protocols like De-Dupe, Thin Provisioning at last mile before storing it.• Lack of key material breaks storage protocols. NetApp, EMC recognize need for pre-processing stack. Solution• Pre-process storage protocols on VM’s on branch routers/UCS• Generated pre-process hash appended to encrypted data at B.Router will help.• Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls Network’s value-add• Cloud Security pulls storage pre-processing requirements into network.• Storage vendors looking for network value-add with pre-processing, key distr, compliance, geo-controls,visibility, audit reports. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Cisco Systems © 2011 Confidential 25
  • 26. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 26
  • 27. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 27
  • 28. • Cryptography is a fundamental underpinning of nearly all security products, solutions and architectures• Strongest, most efficient commercial cryptography Elliptic Curve, AES-GCM, etc• The age of the Mobile Device (BYOD) Low power Endpoint evolution driving need for more efficient, stronger crypto• Higher data throughputs driving scalability needs Current cryptographic implementations WILL NOT scale to 10G,40G and 100© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  • 29. Modular crypto Custom Applications Custom Applications Crypto running on VM Interface to HSM Apache / Apache / SSH SSH SRTP SRTP Tomcat Tomcat FIPS boundary around HSM Based on OpenSSL OpenSSL Libssl OpenSSL Enhanced with FECC (RFC6090) Libssl Application TLS 1.0 / SSL Application TLS 1.0 / SSL s_client / Protocol(s) 3.0 / SSL 2.0 s_client / 3.0 / SSL 2.0 s_server TLS s_server Algorithm Interfaces: Libcrypto Libcrypto OpenSSL EVP AES / TDES AES / TDES DES / RC4 Algorithms: RSA / DSA / DES / RC4 RSA / DSA / MD5 Ex: AES-GCM ECDSA / MD5 ECDSA / All other FIPS-Validated Crypto Module ECDH ECDH All other (http://csrc.nist.gov/groups/STM/cmvp/documents/140- SHA-1 / SHA-2 crypto crypto 1/140val-all.htm#1668) SHA-1 / SHA-2 FIPS 140-2 Validated© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  • 30. PHYSICAL VIRTUAL & CLOUD PHYSICAL APPLIANCES AND MODULES CLOUD FIREWALL Multi-scale™ data center-class ASA devices Enhanced cloud security New! Cisco ASA ASA SM for Cisco Virtual Cisco ASA 1000V 5585-x Catalyst 6500 Security Gateway (VSG) • Scalable in-line performance • Firewall to secure your cloud • Data center edge security policies • Tenant-edge to VM-specific policies • Flexible deployment options • Automated, policy-based provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  • 31. SF.com hosted Cloud Public Cloud SF App tier Enterprise SF.com ID needsDC, Private Cloud VDC Web First, Last name front-end front- Role SF DB tier SF.com Location Download privileges Web ADP hosted Cloud front-end front- ADP app tier ADP.com ADP ID needs Enterprise ID First, Last name Branch Office Federated ID Date-of-birth Attrib-Key-Value pair ADP DB tier SSN Trusted ID store SaaS applications All tiers – Web, App, Options for enterprise DB under 3rd party • Export ID to multiple partners control • Ex: Current Cisco IT: ID to ADP (Payroll), Connexa (CPC), Infosys (HR functions) + …. • Maintain ID for each session • Update ID at an ID-store, IdP and let them Federate/SSO. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Cisco Systems © 2011 Confidential 31
  • 32. SF.com hosted Cloud Public Cloud SF App tier EnterpriseDC, Private Cloud VDC Web front-end front- SF DB tier SF.com Web ADP hosted Cloud front-end front- ADP app tier ADP.com Branch Office ADP DB tier Requirement Function Solution Identity Cloud Service must • Extensible ID definition. authenticate end • Generic attributes: User, role, ToD, App user, enterprise ID • Network attributes: Location, Device, Posture • Customer attributes Federated Ent ID to trusted • SAML tokens, SAML assertions Identity providers for federation to SaaS DLP Split tunneling ScanSafe, IronPort front-end for SaaS access Scansafe implementation of DLP based on ID & Policy © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Cisco Systems © 2011 Confidential 32
  • 33. Securing SaaS Access Corporate Office Cisco IronPort Web Security Appliance/ SaaS Gateway Branch Office Home Office AnyConnect Secure User Directory Mobility Client No Direct Access Visibility | Centralized Enforcement© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  • 34. Web Security Challenges Social Networking Hotmail Webmail Business Pipeline Apps Block Control Web Prevent Data Malware Traffic Loss© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  • 35. Scansafe: Expanded Footprint Current Datacenters Sao Paulo Bangalore Singapore Chicago Sydney Copenhagen Tokyo Dallas Toronto Frankfurt Vancouver Hong Kong Zurich Johannesburg London Planned Miami Datacenters New York Dubai Paris Mexico San Jose 2X 2X© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
  • 36. Full Context Awareness Identity Application Human Job Sites Resource No File Instant Message Transfer Time Location Facebook ? Lunch Hour Streaming Business-related Media Content P2P All Object Compliance© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
  • 37. Security from the cloud: Secure mobility On-Premise Cloud WSA ASA Redirect to Premise or Cloud Mobile User AnyConnect Client© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
  • 38. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 38
  • 39. Policy: Who, What, Where, When, andHow?Cisco ISE for Advanced Policy Management Identity Cisco® Profiling 1 ISE HTTP IEEE 802.1x EAP NetFlow User Authentication SNMP VLAN 10 DNS 2 VLAN 20 RADIUS Profiling to Company Identify Device Corporate DHCP Asset Resources 4 HQ Wireless LAN Controller Policy Internet Only 2:38 Decision p.m. Personal 3 5 6 Asset Posture Enforce Policy of the Device in the Network Full or Partial Unified Access Management Access Granted© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  • 40. Identity Delegated Access Federation Provisioning Mgmt. Admin Mgmt Principle Delegated Single Sign On Identity Identity Identity Admin Provider Provisioning Service Credential Role Mgmt Login Service Attribute Mgmt Service Provider Authority Profile Mgmt User Group Coarse Grain Provisioning OnRamp Mgmt AuthZ CCO Look Up Access Admin Global Logout Audit & Tool Reporting Registration Audit & Fine Grain Reporting Access Policy Mgmt Localization Audit & Profile Admin Reporting Audit & Reporting IT Services, Tool & Apps Business Functionalities© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
  • 41. Knowledge Token BiometricsSomething user Something user has Something user inherits knows© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
  • 42. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 42
  • 43. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
  • 44. Visibility Tracking Analysis “Composition of cloud assets” “Where are the assets” “Regulatory, Policy adherence”Device, App, VM visibility Geo location PCI, HIPAA, SOX, NIST, ISO,OS version Device config chg’s CC, ENISAConfig Visibility • Who, when, what Capability rulesAsset info, Audit trails Lifecycle aspects New configuration rulesInventory tracking Support contracts Policy stickiness Compliance-as-a-service Compliance check list for cloud deployments Advanced services Guidance to deploy secure cloud solutions that will meet the compliance controls specified (PCI, HIPPA, etc.)Focus is on assessment Current focus on• Security best practices • VBlocks• Internal mandates • Nexus 1KV, Nexus 7K• External mandates (PCI, SOX, …) • ASA, WSA • ISR, ASR, Virtual router © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
  • 45. CSPC Visibility Tracking Central Management VM provisioning© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 45
  • 46. Thank you.
  • 47. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 47