• Like
Intel Cloud Summit: Greg Brown McAfee
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Intel Cloud Summit: Greg Brown McAfee



Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Creating Cloud ConfidenceGreg BrownVP, CTO - Cloud and Data Center Solutionswww.mcafee.com/networksecuritygreg_brown@mcafee.comAugust 2012
  • 2. Can I Borrow $20? How About $100,00?2 August 28, 2012
  • 3. And Now?3 August 28, 2012
  • 4. Should We Think About Data Center the Same Way?
  • 5. Can We Apply the Security Here?
  • 6. Challenges Loss of Physical Controls• Fotostock
  • 7. Challenges Loss of Physical Controls• Fotostock
  • 8. ChallengesNew Attack Surfaces Data Application OS Provisioning Hypervisor Platform BIOS Processor
  • 9. ChallengesNew Attack Surfaces Data Data Application Application OS OS Provisioning Hypervisor Platform BIOS Processor
  • 10. ChallengeExtending Compliance VIRTUALIZED PHYSICAL MFR | ENG | HR CLOUD Company A Company B MFR ENG HR
  • 11. Building Foundation of Client to Cloud Security Cloud Security Mission: Worry-Free Cloud Computing Make cloud security equal to or better than traditional best in class enterprise security Public/Private Clouds User & Intelligent Devices (Servers, Network, Storage) Private Cloud Secure the Connections Public Apps, data, traffic Cloud Secure Cloud Datacenters Secure the Devices Infrastructure & data protection, Identity, device integrity & data audit/compliance protection Common Security Standards & Broad Industry Collaboration Hardware-enhanced security + software & services key to achieve mission 11McAfee Confidential
  • 12. Up and Down – IntegrityServer Infrastructure Intel Identity Theft Protection (ITP) Endpoint Aware Integrity Client/cloud mutual trust EMM/MMS, NG Endpoint Real-time Integrity Continuous monitoring GTI Security Stack Integrity MOVE, McAfee Application Security systems operational Control, & Change Control Intel Virtualization Technology (VT) VM Integrity SIA – Vendors Ensure all VMs are “known good” Location & Asset Control Control workload location Intel Trusted Execution Technology Host Integrity (TXT) Ensure server is “known good” External Assessment McAfee SiteAdvisor Enterprise and Reputation McAfee Cloud Secure Digital Certificates Validate web server is authentic Will deliver on-going advancements to hardware & software security for greater controls & auditability 12
  • 13. Extending Security to the Virtual Cloud World Virtualized and Private Cloud Data Public Cloud Data Center Center Extended Security Policy Isolate, protect, control VMs Company Intel Virtualization Tech., Intel Trusted Execution Tech., A Mfg Sales McAfee MOVE AV* HR Sales Company Company Provide visibility & reporting B C VMM Apply security policy at multiple control points Monitor workloads across cloud infrastructures McAfee ePO, Intel TXT McAfee ePO1 Intel Trusted Execution Technology Intel Trusted Execution Technology is run: Server “known good” is run: “issue identified” 1 Integrating McAfee ePolicy Orchestrator (ePO) with Intel TXT requires custom integration work 13McAfee Confidential *McAfee MOVE AV = McAfee Management of Optimized Virtualized Environments Anti-Virus
  • 14. McAfee Datacenter SecurityThe Heart of a Flexible, Efficient, Secure Next Generation Data Center Security Management14
  • 15. McAfee Datacenter SecurityThe Heart of a Flexible, Efficient, Secure Next Generation Data Center Comprehensive Security for Servers Blacklisting – Advanced Anti-Malware Protection McAfee Virus Scan Enterprise Whitelisting – Complete protection from malicious codes and applications McAfee Application Control Security Management System Control – Server configuration control and tracking against internal “gold standards” McAfee Change Control Virtualization – Advanced Anti-malware protection extended to the Virtual Machines McAfee MOVE-AV15
  • 16. McAfee Datacenter SecurityThe Heart of a Flexible, Efficient, Secure Next Generation Data Center Reliable Real-Time Protection for Business-Critical Databases Database discovery and comprehensive Vulnerability Assessment McAfee Vulnerability Manager for Databases Non-intrusive, real-time database visibility & Security Management protection across all threat vectors McAfee Database Activity Monitoring Patch databases without downtime McAfee Virtual Patching for Databases16
  • 17. McAfee Datacenter SecurityThe Heart of a Flexible, Efficient, Secure Next Generation Data Center Industry leading next generation Network Protection Solutions Protection of network connected devices against targeted attacks McAfee Next Generation IPS High-assurance strong next-generation firewall capabilities, including application visibility Security McAfee Next Generation Firewall Management Advanced threat response, behavioral analysis and access control solutions for the network McAfee Network Threat Response, McAfee Network Access Control and McAfee Network Threat Behavior Analysis17
  • 18. McAfee Datacenter SecurityThe Heart of a Flexible, Efficient, Secure Next Generation Data Center Comprehensive Security for Storage Devices Continuous protection for storage devices and their data Security Management Scan, detect and quarantine files on NAS storage devices (NetAPP, EMC, Hitachi, Sharepoint, etc.) McAfee Virus Scan Enterprise - Storage18
  • 19. McAfee Data Center SecurityThe Heart of a Flexible, Efficient, Secure Data Center Unified Security Management and Powerful Threat Intelligence High-performance security information and event management (SIEM) solutions for complete visibility and situational awareness to protect critical information and infrastructure McAfee SIEM Single Management Console for McAfee Security Products and over 130 partner integrated Products Security Management McAfee ePO Comprehensive threat intelligence from over 150 million sensors across the web, channeled into all products in real time McAfee Global Threat Intelligence19
  • 20. Connecting to the Cloud With Confidence • Flexible deployment options – Cloud Ecosystem On-premise, Saas or virtual • Protection and policies across Email and Email Data Loss Web Identity Web Channels Security Prevention Security Management • Confidence to migrate data safely to public Global Threat Intelligence cloud McAfee ePolicy Orchestrator • Unify identity policies across SaaS and federated solutions Enterprise Mobile Enterprise Private Cloud Users Users Applications20
  • 21. McAfee’s Tailored Data Protection Methodology 1 •1 Discover and Learn Find all your sensitive data wherever it may be 2 •2 Assess Risk Ensure secure data handling procedures are in place •3 Define Effective Policies 5 Create policies to protect data and test them for effectiveness •4 Apply Controls Restrict access to authorized people and limit transmission 3 •5 Monitor, Report and Audit Ensure successful data security through 4 alerting and incident management21
  • 22. Cloud Identity Manager Account SSO Provisioning Strong Auth Laptop Access 100s of External SaaS Apps User Mobile McAfee Cloud Identity ManagerInternal User Any Device Any Time Any Where AD, LDAP, Database, SAML IdP, OpenID, etc.
  • 23. Security and Cloud Adoption CLOUD VIRTUALIZED IaaS PaaS PHYSICAL MFR | ENG | HR • Enable Adoption MFR ENG HR • Ensure Compliance • Unified Security Process • Optimized • Sustained investment Performance • Continuous Protection
  • 24. Usage Case Financial Transaction Clearinghouse Financial Institution Service Provider Financial Transaction Records Clearing House FW/DLP/ … Bot FW: Protocol Secure ✔ FW: Intended Destination ✔There is no model to create awareness of the health of the system receiving the data. This is generally true of all systems outside the perimeter 25 August 28, 2012
  • 25. Financial Transaction Clearinghouse Financial Institution Clearing House Healthy Assessment Financial Transaction Records FW Data transmitted based on health measure of service. FW: Protocol Secure ✔ ✔ FW: Intended Destination ✔McAfee is well positioned both in technology assets and in brand permission to become the standard for conveying system integrity across management domains. 26 August 28, 2012
  • 26. Trapezoid RSA Demo Enabling Private Cloud Adoption ePO is not aware of Hypervisor or physical sever risks ePO Once the application server is built the the system admin turns it over to the DC operations team to deploy on the PRIVATE CLOUD infrastructure. Provisions virtual Hypervisor The system admin is blind to all of the underlying sever to DC Server infrastructure.System Admin in finance builds new ePO has no visibility into thepayroll application on virtual server hypervisor or the infrastructure today. Corporate 27 Data Center
  • 27. Sample Usage CaseEnabling Public Cloud Adoption 3. Customer ePO queries ePO GTI for integrity 2. ePO sends integrity to GTI Cloud Provider 4. Payroll application reported ePO compliant while running in Public Cloud 1. TXT signals TRUSTED Hypervisor to ePO Provisions virtual DC Ops Pushes virtual sever to DC Hypervisor sever to Cloud Provider Hypervisor Server Server TRUSTED TRUSTED Safe Private Cloud Enabled Safe Public Cloud EnabledNet Result:- CIO public cloud objectives enabled- Cloud provider preferred over others – Greater Value! Corporate Public Cloud Data Center Data Center
  • 28. Cut Costs And Increase The Level of Content And Data Protection • Proliferation of Technology at The Gateway – Adoption of point solutions has increased operational costs Firewall Proxy Cache Anti- Web URL SSL InspectionInstant Messaging Users and Virus Exploit Filter Inspection Data Protection29 McAfee Web Gateway
  • 29. Types of SSO Connectors SAML • SAML2 or SAML 1.1 federation Proprietary • custom method supported by the target application Agent • agent needs to be installed on the target app. Java, .NET, and PHP agents available today HTTP-Post • username/password are captured during first login, and automated HTTP form post is performed in subsequent logins
  • 30. Front-end Authentication into Cloud Identity Manager Username/Password • User store - Directory (AD / LDAP), Database, CAS • OTP (built-in) 2-factor authentication • Facial Recognition (through partner BioID) • AD IWA First mile SSO • 3rd party IdM session (such as CA Siteminder) • Accept SAML assertion • Facebook Internet Identity • OpenID (Google, Yahoo, Paypal, etc.) Providers • SAML (Salesforce)
  • 31. Strong Authentication Features Software OTP • Coverage across multiple devices and delivery methods • Simple & fast to roll out with user self enrollment – Mobile Token - Pledge – USB Key - YubiKey – Email – Runs on all platforms: iPhone, BlackBerry, WinMobile, etc. Silicon OTP • IPT - Secure ME layer in Intel chip • “hardens” software OTP • Attest that SSO came from corp issued laptop Embedded in Ultra Books Deliver a more secure Cloud SSO by invoking strong auth from hardware or mobile software clients