When your employees are consumers, they have a myriad of networking and connectivity options available - from Facebook to Twitter. As employees, they don’t have access to the same options. So, what do they do? They access these options from work and begin using them to make their work life more efficient. Eventually, all roads will lead to the cloud. So what are some of the big trends in Cloud computing and security…….
Clearly, the Cloud is dramatically increasing the complexity of things…..
Virtually everything (no pun intended) is moving to the Cloud….yes, including the kitchen sink.
Trying to connect these various systems – be it legacy systems, public clouds, private clouds – quickly begins to look something like a sea of spaghetti.
The Cloud is also impacting how we build and establish trust
Reactive security needs to be balanced with proactive Trust Management (Identity-driven security)Moving from black lists to white lists; The Internet's default-all-all foundation being replace by default-deny-all, but with trusted exceptionsIdentity is key to defining relationships and building trusted exceptions / trust modelsFrom instant messaging to social networks, the concepts around relationship management are providing new controls for security and privacyIn order to build a relationship map for enabling trust, you need Identity, reputation and context as building blocksWe should be developing a cloud-service that can broker identity and implement trust models on a global scalePeer-to-peer models for enabling Trust Management won't succeed, you need a third-party to broker trustFor the enterprise, Trust Management is all about defining the business ecosystem and enabling more secure channels for collaboration and transactionsThink of this as the new "extranet", where trust models infer security policy, based on identity, reputation and contextFor the consumer, Trust Management is about defining a user's device ecosystem, creating a client-aware personal cloud and being able to leverage a third-party that can broker security, controls and policies for associated relationshipMy car, my family smart TV, my iPad, my wife's laptop, etc. all will need a connected security layer, brokered by a third-party trust mgmt layer, which will enforce policy, attestation, reputation, context, etcBig Picture: Client Aware Identity Driven SecurityThis vision doesn't propose that we become the sole identity provider or that we own all identity -- We will work with social networks, the enterprise and others that originate identityWe will broker identity access, authentication and associate relationships for building trust / security policies.Within our Trust management cloud, we manage reputation, relationships, context and security policies for all types of identities: IP addresses, files, applications, people, devices, computers, laptops, mobile, etc.The scope of a global trust management service breaks down as follows: Personal Cloud / Family Cloud / Community Cloud --> Enterprise / Government / Third-parties (Financial, Healthcare, Retailers, etc)
Transparency remains the big security challenge. Security remains the top obstacle that people cite when considering a move to the Cloud.
And that’s no real surprise. We’re use to being able to see, smell, touch our infrastructure.(Click) With the Cloud, it’s like walking into a room with the lights turned out. Our visibility into where our data is, who has access to it…is extremely limited.
So again, the Cloud has introduced lots of complexity. Identity is becoming increasingly more important And transparency remains a key obstacleThis all leads us to where were are today…..
Like IDC, Gartner believes cloud computing will be big, with nearly every Fortune 500 company having at least one business-critical application “in the cloud” by 2015. Gartner forecasts cloud spending at $112 billion annually, with the bulk being spent on private clouds and Infrastructure-as-a-Service.Enterprise stat from CDW’s first Cloud Computing Tracking Poll surveyed 1,200 IT professionals in U.S. organizations* - Most organizations (84%) say they employ at least one cloud application. The most commonly used cloud services are commodity applications – google, Livemeeting, Webex, Salesforce
This all leads us to where were are today. On the one hand, we all recognize the benefits of Cloud computing….agility…cost….improved efficiencies… Yet despite those benefits, the risks and security concerns continue to plague us….preventing many organizations from adopting Cloud-based solutions. And the big question on most people’s minds is, “What are we going to do about it?” So far, there’s two pretty common approaches. Just ignore the security issues and go for it. Throw caution to the wind and hope that our data doesn’t get breached in the Cloud – at least not while we’re at the company.
The other approach is to try and ignore the Cloud as much as we can, telling our CEO’s that the Cloud just isn’t safe….and continuing to operate as an isolated island. If you have more than say, one employee with a FaceBook account or cell phone, you know that doesn’t work so well either. But I do think there’s another way to think about Cloud computing and security, and how to address the risks and concerns surrounding it without going to these extremes.
And that’s to draw an analogy to bridges, as I eluded to in the my presentation title.…protecting your critical assets by building a reliable and secure bridge to the Cloud.
When you think about Cloud computing and security, there are really three primary channels of traffic that are utilized to move data outside the organization to and through the public Cloud ecosystem. Web traffic, Identity or Authentication traffic, and Email traffic of course. Securing these three traffic channels – both inbound and outbound - would be relatively simple....if our organizations were simple. But they’re not. The fact is, the proliferation of mobile devices, remote workers, private Clouds, make managing this traffic more complex than ever. This is the most common area for security to break down, leading to data loss or intrusion.
To help address this challenge – and build a secure bridge to the Cloud – we recently introduced the McAfee Cloud Security Platform. The platform is a combination of both McAfee and Intel technologies, providing the most comprehensive coverage of any solution today.
We’ve introduced a new Cloud Security Platform, helping businesses more safely and confidently take advantage of the time and cost-saving benefits of Cloud computing. Rather than adopting the unique – and sometimes unknown – security practices and policies of each Cloud vendor, the McAfee Cloud Security Platform allows businesses to extend and apply their OWN security procedures into the Cloud. Today, this includes securing email traffic, identity traffic, and all web traffic, including mobile and app services traffic. In addition, we offer powerful DLP solutions and capabilities, providing an additional layer of security and protection around your most critical information. Modular by design, the platform gives users the flexibility to choose both security modules they want or need and the deployment options best for their situation, be it appliance, Software-as-a-Service, or a hybrid combination of both. And like all McAfee solutions, the various security modules are powered by McAfee’s legendary Global Threat Intelligence Network, providing the world’s fastest and most accurate threat detection capabilities in the world. And finally, through ePO organization, we’re able to provide centralized management and reporting.
Here we see the management of services and APIs clearly called out as a separate architecture and role called a Cloud Broker in the latest NIST Cloud Computing ref architecture. Many analysts including Gartner see the Cloud Service Broker CSB role as being the primary way service traffic will be handled to the cloud.
CSB models can be broken into two forms. A large IT department may choose for strategic or regulatory reasons to runs its own cloud service brokerage through on premise software that is available today or as 3rd party CSB specialists come into play this role can be outsourced as well. IF you recall this is how EDI evolved. EDI used to be managed point to point inside the enterprise with high $ EDI specialist staffs. This moved to the EDI exchange model where GE information services, VANs, and exchange providers such as Covisint in automotiive managed the EDI integration between parties. The CSB makes sharing of services simplified, repeatable, and secure.
With all of the Federal Initiatives discussed in this webinar, Intel and McAfee have solutions that address each of the programs. Whether you are talking about Federal ICAM or NSTIC where we can help with enabling Federated access and Cloud SSO with Intel Expressway Cloud Access 360…. or whether you are sharing information using NIEM and need a fast path to handling complex XML processing requirements with the help of Intel’s Exprsesway Service Gateway -- you can accelerate the process…or whether you need an automated method for submitting FISMA audit results – and could benefit from McAfee’s Policy Auditor for reporting audit information or The vulnerability manager / Cyberscope Data Feed Generator to generate data feed reports that can be submitted to Cyberscope ….…Intel and McAfee have solutions that are government approved, and ready for your use.
EAMSoftware Appliance Form FactorRed Hat AS5-64 bit, Solaris 10 64 bit, SLES 11, Windows 2003Secure Appliance Form FactorPhysical Tripwire, Secure Boot and BIOSSnooping protection, Seamless Disk EncryptionHardware Random Number GenerationTokenizationFormat preserving tokens based on secure random number generationToken VaultAutomatic encryption of PAN data (AES/3DES)Includes starter token vault Supports Oracle, MySQL, SQL ServerAuthentication and Access ControlIntegrates with identity management systems for secure PAN data retrievalPerformanceBuilt on Intel’s high-performance service gateway platform optimized for Intel® Multi-CoreReduce or remove payment applications and databases from PCI scopeOwn and manage PAN data on-premise with a secure hardware applianceEasilyChoose the tokenization scheme appropriate for your business High performance operation ensures low-latency document processing Leverage existing Enterprise identity management investmentsAvoid token migration challengesMinimize change to existing applications compared to E2E Encryption
Supported Formats: XML, SOAP, REST, Text, HTML form, XHTML, Word, PDF*Protocols: HTTP(S), SOAP, JMS, FTP(S), SFTPStrong Authentication for the capture application using industry standards such as SSL/TLS, WS-Security, HTTP Basic Auth, X.509 certificates and SAMLSecure Channel: Protected channel communication with strong authentication using X.509 certificatesEnterprise IDM Support including LDAP, Active Directory, CA SiteMinder, Oracle Access Manager, IBM Tivoli Access Manager, WS-TrustTokens: Format preserving surrogates with configurable token formats and masking supportToken Types: Single-Use or Multi-Use support with configurable lifetimesSecure Vault: Embedded vault or use existing Oracle, mySQL, MS SQL database. Supports 2-way SSL.Strong PAN Protection: AES-256 and 3DES for PAN EncryptionToken Generation: Hardware-based random tokens or pseudorandom generation using SHA-2Physical Security: Physical Tripwire, Secure Boot and BIOS, Snooping protection, Full Disk Encryption (Appliance SKU Only)
Web, Mobility and Cloud Security
WEB, MOBILITY AND CLOUD SECURITYRAMON PEYPOCH ANDY THURAI VICE PRESIDENT CHIEF ARCHITECT GLOBAL BUSINESS AND CTO,DEVELOPMENT, MCA APPLICATION FEE SECURITY AND IDENTITY PRODUCTS, INTEL
Building a Secure Bridge to the Cloud An Intel CompanyRamon Peypoch – Vice President, Network & Cloud SecurityAndy Thurai – Intel® Application Security & Identity ProductsGroup, CTO & Chief Architect
Application complexity is increasing with the Cloud ecosystem
Code App Mobile Server Cloud Computing PCDatabase Cloud Computing everything and the kitchen sink Kitchen Sink
Cloud Penetrates the Enterprise Enterprises Using It Annual Spending
The Power of However, securityCloud Computing remains the roadblock• Business agility • Data loss• Cost efficiencies • Identity• Enhanced innovation • Information governance• Improved IT services • Data control
Cloud Ecosystem Partners Cloud Applications Customers Vendors Data Loss Web Email Data Loss AuthenticationIntrusion Intrusion Enterprise Private Cloud Mobile Users Enterprise Users Applications
Cloud Ecosystem Cloud Partners Vendors Applications CustomersUnified Management, Policy and Reporting, ePO Integration Appliance Modules Services Gateway Identity Manager SaaS or Web Authentication Email Web Data Loss Email Security Prevention Security Global Threat Intelligence Cloud Security Platform Enterprise Mobile Enterprise Private Cloud Users Users Applications
Intel ASIP solution set An Intel Company• MIM (McAfee Identity Manager)• MSG (McAfee Service Gateway) – McAfee Service Gateway – McAfee CSB (Cloud Service Broker) – McAfee API Gateway• McAfee TB (Tokenization Broker)19 April 16, 2012
Consistent Security Across Cloud Traffic Channels An Intel Company App-to-Cloud User-to-Cloud McAfee Identity ManagerMcAfee Services Gateway • Cloud SSO, Strong Auth,• App API & Web Service Security ProvisioningMcAfee ePO McAfee Web Gateway McAfee DLP McAfee Global Threat• Integrated monitoring for • To the Cloud- web filtering • To /From the Cloud-Data leak Intelligence Cloud apps • From the Cloud- AV & protection • Provides real-time URL and Malware connection reputation Interoperable Cloud Security Modules or Operate Stand-a-alone
An Intel CompanyMcAfee Cloud Identity Manager Single Sign-on to the Cloud Enterprise
More Secure Cloud SSO - Federated User Access An Intel Company • Federated SSO is pillar for NSTIC, ICAM, User to Cloud Access and other federal identity initiatives In the Cloud • Drives strong auth access and cross agency collaboration • Supports log-in using private sector identity credentials such as Open Id, Pay Pal, OAuth AD • Supports Trust Framework LOA level of access level 3 with SAML ID support Agency • GSA listedOnly 3 in 1 Product to ManageUser to Cloud Access Combining Federal Strong Auth with SSO Provision Access Adaptive Strong Auth Secure SSO Compliance • 2nd factor OTP AuthN • Federate windows/AD • Provision/de-provision • Rich audit trail of user • Variety of AuthN methods log in via SAML, OAuth login showing AuthN user accounts mobile devices, SMS, • Eliminate insecure level • AD integration email passwords • De-provision & orphan • Sync Id Profiles • Cloud Ready Connectors account reports Direct from Intel or from McAfee as Cloud Identity Manager
An Intel Company McAfee Services GatewaySecure & Simplify Consumption of Enterprise/ Cloud Apps Enterprise Services/APIs
Rise of Cloud Service Broker - Widely Recognizedas Key Capability For Cloud An Intel Company NIST - USG Cloud Computing Reference Architecture Cloud Provider Cloud Cloud Broker Consumer Service Layer SaaS Cloud Service Management Service PaaS Intermediation Cloud Business Auditor IaaS Support Security Privacy Service Aggregation Security Resource Abstraction and Audit Provisioning/ Control Layer Configuration Service Privacy Physical Resource Layer Arbitrage Impact Audit Portability/ Hardware Interoperability Performance Facility Audit “By 2015, at least 20% of all cloud services will be intermediated via CSBs” – Daryl Plummer, Managing VP, Gartner Fellow
Capabilities Available Today Using Gateway CloudService Broker Appliance Software An Intel Company CSB On Prem CSB 3rd party Intermediary • Vale added processing • Identity as a Service • Packaged API Level Policies • Security as a Service • Security, Governance, Integration • Trust as a Service • Solves Complexity, Overhead IT Departments Can Run On-prem
APIs are New Cloud Control Point – 1/3 of the enterprise traffic is now API based An Intel Company Cloud Cloud Provider Provider API Applications move API off premiseLeverage third-party services 1/3 of Enterprise Traffic is via APIs Enterprise
APIs are Strategic Control Points for Cloud An Intel CompanyCore Apps Apps• CRM API Broker API Broker • SaaS CRM• Workflow • Partner B2B• Doc Mgt • Social Mashups• IAM• ERP/Mainframe API Management Control • Performance Management • Integration & Service Lifecycle Management • Enforce Access & ID Token Translation • Threat Protect - DoS, Content Threats • Visibility, Auditing, Usage Xxx takeaway
Service Gateway Revealed An Intel Company • FIPS 140-2 Level 3 Crypto (Optional) • Common Criteria EAL4+ • DoD STIG Ready & PKI Certified • HSM PKI key storage (Optional) • Cavium crypto acceleration • Form factors: software, virtual, and tamper resistant • GSA listed Tech Agnostic Performance No Programming Flexible CODING • REST,SOAP, JSON • Optimized for Intel • Simple visual • Routing • XML, Binary, ASCII chips workflow building • Transform • HTTP, FTP, TCP, • Tie-in to chip tool • Validation JMS, MQ, Custom roadmap • Service Call-outs • Efficient XML • Firewall rules parsing at chip level
Federal Initiatives An Intel CompanyProgram Intel / McAfee Solution Enabling Federated access, Cloud SSO. Account Provisioning, Strong Auth Identity Credential and Access Software One Time Passwords;Management (ICAM), BAE, HSPD-12,PIV Authenticating Web Services, SOAP, REST, Expose secure APIs NSTIC - Provides an “identityecosystem” for individuals/organizations to Enabling Federated access, Cloud SSO. Account Provisioning, Strong Authutilize secure identity solutions to access Software One Time Passwords.online services. DoD Public Key Infrastructure -Data integrity, user identification andauthentication, user non repudiation, data Ability to authenticate and validate certificates against DoD root authority.confidentiality, encryption and digital signatureServices NIEM National InformationExchange Model - NIEM will be the Service gateways provide a fast path to handle the complex XMLmethod by which state, local, and tribal processing requirements for NIEM.agencies will share information with federalagencies. McAfee Policy Auditor - SCAP validated product that works OMB Cyberscope - Provide federal with the IPS and endpoint products to report audit information.agencies an automated method for submitting The Vulnerability Manager / CyberScope Data Feed Generator tool helpsFISMA audit results. generate a data feed report that can be submitted to the CyberScope application.
Tokenization Broker An Intel Company Benefit Summary• Flexible Software Appliance Form Factor Reduce or remove payment applications• Secure Appliance Form Factor and databases from• Tokenization PCI scope Own and manage PAN dataFeature Summary on-premise with a secure hardware• Token Vault appliance• Authentication & Access Control Easily Choose the tokenization scheme• High Performance, optimized appropriate for your business for Intel® Multi-Core Minimize change to existing applications compared to E2E Encryption Address more than 200 PCI compliance requirements through gateway tokenization
Internal Tokenization: Use Case An Intel Company Point of Capture Application Documents Application Output documents Downstream containing PAN forwards document contain tokens in applications receivedata arrive at point to backend place of PAN data in documents with tokens of capture Applications. print-equivalent or rather than PANs & application. machine readable benefit from reduced/ XML. eliminated PCI scope. Intel® Expressway TB generates tokens Reverse the token from Tokenization Broker for PAN data, SecureVault Intel® Expressway encrypts/stores PANs, Tokenization Broker and routes documents to their destination. Token Exchange Benefits: • Wide Range of • Single-Use or PCI Scope Formats Multi-Use Tokens Reduced scope or • Wide Range of • Secure Vault out of scope Protocols • Strong PAN • Strong Authentication Protection • Secure Channel • Multiple Token • Enterprise IDM Generation Options • Format-Preserving • Physical Security Surrogate Tokens (Appliance SKU Only)
One Trusted Vendor to Address Your CriticalCloud Security Needs An Intel Company Federal PKI/DoD Bridge ID Trust Brokering XML Transformation FIPS L3 Crypto Monitoring & Cyber Defense Reporting Multi-Protocol Content Inspection Policy Enforcement Cloud API
www.intel.com/go/identity An Intel Company Other Webinars in Info Library: • NIEM enablement in 60 days • Portable Security Architecture to Establish Cross Domain • How to Combat Advanced Persistent ThreatsFederal Cloud Security Paper Test DriveService Gateway Data Sheet Cloud Access 360 Data Sheet email: firstname.lastname@example.org