Steve Porter : cloud Computing Security
Upcoming SlideShare
Loading in...5

Steve Porter : cloud Computing Security



A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 5th July 2012. Stephen Porter from Trend Mirco Limited was on the theme of cloud ...

A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 5th July 2012. Stephen Porter from Trend Mirco Limited was on the theme of cloud computing security. Copyright of this presentation is held by the author, Stephen Porter.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • The outside-in approach is still important, but, alone, is not sufficient in today’s evolving data center. Disgruntled employees are already within the perimeter. Advanced Persistent Threats are unique attacks that will not be stopped by many traditional perimeter defenses. And the changing nature of IT is causing deperimeterization with new technologies like virtualization, cloud computing, and consumerization. New security approaches must be added to the traditional outside-in protection.
  • Let’s take a look at a typical attack scenario… APT and targeted attacks typically follow a multi-step scenario employing means that are: Social – Targeting and attacking specific people with social engineering and advanced malwareSophisticated – Exploiting vulnerabilities, using backdoor controls, stealing and using valid credentialsand Stealthy – Executed in a series of low profile moves that are undetectable to standard security or buried among thousands of other event logs collected every day.The attack starts with intelligence gathering to create and execute a socially engineered employee infection, then network infiltration, lateral movement across the organization, and finally data discovery and exfiltration – all the while, command & control communication and backdoor controls are executed via remote control.
  • To provide this unique detection, Deep Discovery uses a set of specialized threat engines, reputation services, and correlation rules including:The widest analysis of content inspectionSmart Protection Network reputation and blacklistingSandbox simulation and analysisCommunication fingerprintingMulti-level rule-based event correlation to reduce false positives and detect “low and slow” activity over timeAnd much more… all powered by over 1000 global threat researchers and the billions of daily events processed by Trend Micro Smart Protection Network(Use appendix slide for a deeper dive on how detection works)
  • Deep Discovery uses a multi-level detection scheme to perform initial detection, then simulation and correlation, and ultimately, a final cross-correlation to discover “low and slow” and other evasive activities discernable only over an extended period. (Specializeddetection and correlation engines provide the most accurate and up-to-date protection aided by global threat intelligence fromTrend Micro Smart Protection Network and dedicated Threat Researchers.) The result is a high detection rate, low false positives,and in-depth incident reporting information designed to speed the containment of an attack.Let’s now look at how this detection and analysis information is made available to the security specialist.
  • Each of these platforms has unique security concerns. With physical machines, the manageability of various security solutions can be an issue.There can be a glut of security products—either through excessive layering or overly specialized products. This increases hardware and software costs. Also, management across the different products can be difficult – causing security gaps. And collectively these issues create a higher Total Cost of Ownership.The solution is to reduce complexity by consolidating security vendors and correlating protection.[click]With virtualization, the risks pertain to both performance and threats specific to virtual environments. There is a concern that security will reduce performance, which reduces the ROI of a virtual infrastructure. Also there are unique virtual machine attacks, such as inter-VM threats. Here the solution is increased efficiency—security that optimizes performance while also defending against traditional as well as virtualization-specific threats. [click]With cloud services, the risks pertain to less visibility and cloud-specific threats. Companies are concerned about having less visibility into their applications and data. And they are concerned about increased external threats, especially in multi-tenant environments.For the cloud, businesses need security that allows them to use the cloud to deliver IT agility. Data must be able to safely migrate from on-premise data centers to private clouds to public clouds so organizations can make the best use of resources. [click]As we’ll see later, all of these concerns can be addressed. And through protection that is provided in an integrated security solution all managed through one console. With cross-platform security, you’ll stay protected as your data center and virtual or cloud deployments evolve, allowing you to leverage the benefits of each platform while defending against the threats unique to each environment.
  • Now we’ll step through each platform individually, starting with physical servers and endpoints. Regardless of how your business evolves, you’ll still need dedicated physical servers. They give you the highest level of visibility and control, provide dedicated computing resources, and support specialty hardware and software. Today, the security that is needed for physical machines is relatively well known. The issue is more, how do I deploy effective protection while reducing management. Integrating security onto one platform reduces the glut of security products which in turn reduces management and costs.
  • As you can see here, an integrated approach to server security includes a Firewall, HIPS and Virtual Patching, Web Application Protection, Antivirus, File Integrity Monitoring, and Log Inspection. [click]To reduce complexity, all of these capabilities should be integrated into one solution and should be managed through one console with advanced reporting capabilities. Here we’re talking about how to reduce complexity with your physical server security. But when this protection is provided in a cross-platform solution, your security can also travel with you as your business evolves to use virtualization and the cloud.
  • The next platform we’ll discuss is virtualization. Most companies are virtualizing their data centers. In a recent survey by Trend Micro, 59% of respondents had server virtualization in production or trial, and 52% had desktop virtualization in As the foundation to the cloud, businesses should deploy virtualization security that protects their data center virtual machines as well as their virtual machines that are moved to private and public cloud environments. In the next few slides, we will discuss virtualization security challenges and the solutions to address these challenges, using virtualization-aware security.
  • The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
  • Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
  • I’d now like to highlight a couple of additional virtualization challenges. The next one we’ll discuss today is inter-VM attacks and blind spots. [click]When a threat penetrates a virtual machine, the threat can then spread to other virtual machines on the same host. Traditional security such as hardware-based firewalls might protect the host, but not the guest virtual machines. And cross-VM communication might not leave the host to be routed through other forms of security, creating a blind spot. [click]For the solution, protection must be applied on an individual virtual machine level, not host level, to ensure security. And integration with the virtualization platform, such as VMware, provide the ability to communicate with the guest virtual machines. Also, virtual patching ensures that VMs stay secure until patches can be deployed.
  • As you heard VMware released last year vShield. vShield Endpoint is a set of API ….. Which today are only completed with Trend’s Agentless Anti Virus solution
  • VMware controls more than half of the virtualization market. Virtualization security must fit into the VMware ecosystem to effectively support enterprise virtualization efforts. Here we demonstrate the different VM-security aspects and how they can fit into a VMware infrastructure.[click]The pairing of agent-less antivirus and agentless integrity monitoring with vShield Endpoint enables massive reduction in memory footprint for security on virtual hosts by eliminating security agents from the guest virtual machines and centralizing those functions on a dedicated security virtual machine. [click]Protection such as intrusion detection and prevention, web application protection, application control, and firewall can be integrated with VMware using VMsafe APIs, integrating security with VMware vSphere environments. Again this can be an agent-less option.[click]And finally, log inspection which optimizes the identification of important security events buried in log entries, can be applied through agent-based protection on each VM. [click]These elements can be integrated and centrally managed with VMware vCenter Server. Together, these provide comprehensive, integrated virtual server and desktop security.
  • The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
  • Key items to note:Symantec has no web threat protection (blocking the source), therefore all detection comes at the endpoint, using up valuable bandwidth (to download the file) and resources (to scan the file). Microsoft is similarOverall, OfficeScan scored 16% better protection than next competitor.
  • I mentioned that the agentless approach began with agentless antivirus. Trend Micro’s agentless antivirus solution was available starting in 2010, so there’s been an opportunity to test its success. In an independent study by Tolly Enterprises, Trend Micro agentless antivirus was tested against leading traditional antivirus solutions that do not use a dedicated security virtual appliance and agentless antivirus, and the results were striking. Trend Micro’s agentless antivirus achieved 3 times higher VDI VM consolidation ratios—and similar results also extended to server virtualization as well. The VDI results translate into saving almost $540,000 every 3 years for each 1000 virtual desktops.
  • Now we’ll cover the final platform, cloud computing. Cloud computing is usually built on virtualization. So, all of the previous challenges and solutions we discussed in the previous section on virtualization apply to the cloud. But cloud computing also introduces its own challenges as well as solutions. Let’s take a look.
  • The final cloud computing challenge we’ll discuss today is data destruction. As I mentioned before, cloud data can move to make the best use of resources. [click]But when data is moved, sometimes remnants remain if the data in the previous location is not completely shredded. These remaining data remnants can create a security concern. [click]Again encryption is the solution because any remaining data remnants are unreadable if accessed by unauthorized users.
  • So what is the solution? Cloud protection should include self-defending VM security that travels with the virtual machine into a cloud infrastructure. This allows businesses to transfer a complete security stack into the cloud and retain control. And this cloud security should be provided in a modular infrastructure with both agentless and agent-based options so it can be customized to your individual cloud deployment needs. The security should be provided on one platform that is managed through a single console—across your physical, virtual, and cloud deployments, including private, public, and hybrid clouds. [click]Another method of protecting data in the cloud is encryption with policy-based key management. The solution should start with industry-standard encryption that renders your data unreadable to outsiders. Even if your data is moved and residual data is left behind, the data in the recycled devices is obscured. It is critical to have this encryption accessed through policy-based key management to specify when and where your data is accessed. And through policies, identity- and integrity-based validation rules specify which servers have access to decryption keys.An encryption solution should also give the option to access keys through a SaaS or on-site virtual appliance with customer control over the keys to support a clear separation of duties and to avoid vendor lock-in. An encryption solution with policy-based key management allows even heavily regulated companies to leverage the flexibility and cost savings of the public cloud while ensuring their data stays secure. [click]These two solution elements can be integrated with a context approach to security. For example, encryption policies can specify that encryption keys will not be released unless the requesting server has up-to-date security, ensuring that the data stays protected when accessed by self-defending VM security. [click]And this security should work with multiple cloud platforms—allowing you to create the right cloud environment for your business.
  • Earlier we reviewed how the Trend Micro server security platform with modular security integrates with a VMware ecosystem. Here we see how Trend Micro’s cloud data encryption solution—SecureCloud—supports a VMware environment.Here we see the VMware ecosystem with vSphere which creates a virtualization platform and vCloud that provides technologies to support private and public clouds. vCloud Director provides a management portal into these cloud technologies.[click]Trend Micro SecureCloud leverages information from vSphere and vCloud to provide native support for these environments. [click]Then SecureCloud can provide encryption capabilities in VMware virtual, private, and public cloud environments. [click]This gives companies encryption support today and as their data centers evolve.
  • As we’ve discussed here, Trend Micro’s server security platform provides specialized protection across physical, virtual, and cloud. [Briefly step through points on slide.]
  • Trend Micro was VMware’s 2011 Technology Alliance Partner of the Year. This timeline helps highlight some of our achievements in our partnership with VMware, starting back in 2008. [Highlight a couple of key points from the timeline—do not cover it all.]

Steve Porter : cloud Computing Security Steve Porter : cloud Computing Security Presentation Transcript

  • Securing Your Journey to the Cloud Trend Micro Stephen Porter Alliance BDM Data Center Evolution: Physical. Virtual. Cloud.
  • Control vs Responsibility? Servers Virtualization & Private Cloud Public Cloud PaaS Public Cloud IaaS Public Cloud SaaS % Enterprise Responsibility Control Gap
  • Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. (3 March 2010) The cloud customer has responsibility for security and needs to plan for protection.
  • A New Model for Security – Securing the Computing Chain All environments should be considered un-trusted 4 Users access app Host defends itself from attack Image ensures data is always encrypted and managed Encrypted Data Encryption keys only controlled by you When this whole chain is secure Components can move DC1, LAN 1 Cloud 1, LAN 2 Data Cloud, LAN 1 Data DC2, LAN 2 Virtual “neighbours” don’t matterLocation doesn’t matter Service provider “lock” goes away Shared storage ROI goes up
  • Advanced Targeted Threats Empowered Employees Re-Perimeterization Virtualization, Cloud Consumerization & Mobility Outside-in Perimeter Defense Isn’t Enough… Source: Forrester
  • Reduce Noise 6 Stopping stuff on the outside from getting inside allows a focus on events on the inside that would otherwise be impossible
  • APT and Targeted Attack Profile Social • Spear Phishing • Drive-by Downloads • Zero-day malware Key Characteristics Stealthy • Low profile • Masked activities • Requires specialized detection Sophisticated • Exploits vulnerabilities • Remote control and backdoor • Uses credentials & privileges
  • Deep Discovery: Key Technologies • Deep content inspection across 100’s of protocols & applications • Smart Protection Network reputation and dynamic black listing • Sandbox simulation and analysis • Communication fingerprinting • Multi-level rule-based event correlation • And more… Driven by Trend Micro threat researchers and billions of daily events Specialized Threat Detection Across the Attack Sequence Malicious Content • Emails containing embedded document exploits • Drive-by Downloads • Zero-day and known malware Suspect Communication • C&C communication for any type of malware & bots • Backdoor activity by attacker Attack Behavior • Malware activity: propagation, downloading, spam ming . . . • Attacker activity: scan, brute force, service exploitation . . . • Data exfiltration communication
  • Real-Time Inspection Analyze Deep Analysis CorrelateSimulate Actionable Intelligence Threat Connect Watch List GeoPlotting Alerts, Reports, Evidence Gathering 9 Visibility – Real-time Dashboards Insight – Risk-based Analysis Action – Remediation Intelligence Identify Attack Behavior & Reduce False Positives Detect Malicious Content and Communication Out of band network data feed of all network traffic
  • Physical Virtual Cloud Manageability Glut of security products Less security Higher TCO Reduce Complexity One Security Model is Possible across Physical, Virtual, and Cloud Environments PLATFORM-SPECIFIC SECURITY RISKS Integrated Security: Single Management Console Performance & Threats Traditional security degrades performance New VM-based threats Increase Efficiency Visibility & Threats Less visibility More external risks Deliver Agility
  • Consolidate Physical Security REDUCE COMPLEXITY
  • One Server Security Platform REDUCE COMPLEXITY Firewall HIPS / Virtual Patching Web Application Protection Antivirus Integrity Monitoring Log Inspection Advanced Reporting Module Single Management Console Software Agent Based Solution
  • Server and Desktop Virtualization Security INCREASE EFFICIENCY
  • Challenge: Complexity of Management VIRTUALIZATION SECURITY VM sprawl inhibits compliance Patch agents Rollout patterns Provisioning new VMs Reconfiguring agents
  • Cloned  Challenge: Instant-on Gaps VIRTUALIZATION SECURITY    DormantActive Reactivated with out dated security   Reactivated and cloned VMs can have out-of-date security
  • Challenge: Dynamic movement Load Balancing or V-Motion VIRTUALIZATION SECURITY VMs moving between hosts can cause manual intervention and Introduce risk
  • Challenge: Resource Contention VIRTUALIZATION SECURITY Typical Security Console 09:00am Virus Definition Updates Configuration Storm Automatic security scans overburden the system 3:00am Integrity Scan
  • Security Zone vShield App and Zones Application protection from network based threats vShield Security Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge Secure the edge of the virtual datacenter Endpoint = VM vShield Endpoint Enables offloaded Security FIM, anti-virus, IDS/IPS … Virtual Datacenter 1 Virtual Datacenter 2 DMZ PCI compliant GPG13 compliant Web View VMware vShield VMware vShield VMware vShield Manager
  • Fitting into the VMware Ecosystem VIRTUALIZATION SECURITY vSphere Virtual Environment Integrates with vCenter Trend Micro Deep Security Security Virtual Machine Log Inspection Agent-based Other VMware APIs IDS / IPS Web Application Protection Application Control Firewall Agentless Agentless vShield Endpoint Antivirus Integrity Monitoring
  • Secure the lifecycle of the VM VIRTUALIZATION SECURITY Moving VM’s Restarted VM Self Service new VMs Reconfiguring VM - Clones Relevant Deep Security ControlsFIM DPI Firewall AV FIM DPI Firewall AV FIM DPI Firewall AV FIM DPI Firewall AV FIM DPI Firewall AV Recommendation Scan vCenter
  • •Jan 2011 results of testing conducted by •Threats prevented at each layer (of total threats that reached that layer) •33% •65 / 200 •53% •72 / 135 •19% •12/ 65 •200 threats •135 threats •65 threats •51 threats •End-to-End •75% •(149 of 200)•average of all enterprise products 97% of threats blocked at the first layer of defense 21 Trend Micro Microsoft Sophos McAfee Symantec Exposure Layer 97% 2% 63% 1% 0% (194 of 200) (3 of 200) (126 of 200) (2 of 200) (0 of 200) Infection Layer 67% 68% 19% 50% 54% (4 of 6) (134 of 197) (14 of 74) (99 of 198) (108 of 200) Dynamic Layer 100% 6% 23% 25% 16% (2 of 2) (4 of 63) (14 of 60) (25 of 99) (15 of 92) All Layers 100% 71% 77% 63% 62% (200 of 200) (141 of 200) (154 of 200) (126 of 200) (123 of 200)
  • Integrated Management - vCenter Deep Security 8.0 VM Lifecycle • Creation • Configuration • Deployment • Dynamic update • V-Motion • Restart vCenter
  • Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011; Saving estimate based on VMware ROI calculations 3X higher VDI VM consolidation ratios Increased ROI with Deep Security Example: Agentless Antivirus VIRTUALIZATION SECURITY 0 10 20 30 40 50 60 70 80 Traditional AV Agentless AV VM servers per host 75 25 3-year Savings on 1000 VDI VMs = $539,600
  • Cloud Deployments and Security DELIVER AGILITY
  • Protect my data 2 Inside-out Security Smart Context aware Self-Secured Workload Local Threat Intelligence When Timeline Aware Who Identity Aware Where Location Aware What Content Aware User-defined Access Policies Encryption DATAINSIDE-OUT SECURITY
  • When data is moved, unsecured data remnants can remain Challenge: Data Destruction CLOUD SECURITY 10011 01110 00101 10011 01110 00101 10011 0 00101
  • Sensitive Research Results • Unreadable for unauthorized users • Control of when and where data is accessed • Server validation • Custody of keys Data Security Encryption with Policy-based Key Management Server & App Security Modular Protection • Self-defending VM security • Agentless and agent-based • One management portal for all modules, all deployments vSphere & vCloud Integration ensures servers have up-to-date security before encryption keys are released What is the Solution? Data Protection CLOUD SECURITY
  • VM VM VM VMVM VM VM VMVM VM VM VM VMware vCloud VMware vSphere Encryption throughout your cloud journey—data protection for virtual & cloud environments Enterprise Key Key Service Console Trend Micro SecureCloud Data Center Private Cloud Public Cloud Fitting Encryption into a VMware Ecosystem CLOUD SECURITY
  • Test Deep Security / Secure Cloud Example Classification 7/26/2013 29 Vmware Vsphere ESX Customer Customer 1 Customer 2 Unix/ Win Server Encrypted Volumes on SAN, NAS, Cloud Service … Policy Server Key Service
  • Specialized Protection for Physical, Virtual, and Cloud Physical Virtual Cloud TREND MICRO DEEP SECURITY Only fully integrated server security platform First hypervisor-integrated agentless antivirus First agentless file integrity monitoring (FIM) Only solution in its category to be EAL4+ and FIPS certified
  • 2011 Technology Alliance Partner of the Year TREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER Improves Security by providing the most secure virtualization infrastructure, with APIs, and certification programs Improves Virtualization by providing security solutions architected to fully exploit the VMware platform 2008 2009 2011 Feb: Join VMsafe program RSA: Trend Micro VMsafe demo, announces Coordinated approach & Virtual pricing RSA: Trend Micro announces virtual appliance 2010: >100 customers >$1M revenue VMworld: Announce Deep Security 8 w/ Agentless FIM 1000 Agentless customers VMworld: Trend virtsec customer, case study, webinar, video May: Trend acquires Third Brigade July: CPVM GA Nov: Deep Security 7 with virtual appliance RSA: Trend Micro Demos Agentless 2010 Q4: Joined EPSEC vShield Program VMworld: Announce Deep Security 7.5 Sale of DS 7.5 Before GA Dec: Deep Security 7.5 w/ Agentless Antivirus RSA: Other vendors “announce” Agentless