Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Upcoming SlideShare
Loading in...5
×
 

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

on

  • 1,110 views

 

Statistics

Views

Total Views
1,110
Views on SlideShare
936
Embed Views
174

Actions

Likes
3
Downloads
53
Comments
0

3 Embeds 174

http://www.scoop.it 132
http://paper.li 41
http://us-w1.rockmelt.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing Presentation Transcript

  • Cloud Security & Control: AMulti-Layer Approach toSecure Cloud ComputingJohn RowellChief Technology OfficerOpSourceTwitter: @johnrowellPaul SathisDirector, Cloud Computing,Intel AmericasIntel CorporationTwitter: @paulinthehouse
  • Legal DisclaimersIntel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certainplatform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOSupdate. Software applications may not be compatible with all operating systems. Please check with your application vendor.Intel® TXT requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and anIntel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visithttp://www.intel.com/technology/security. In addition, Intel TXT requires that the original equipment manufacturer provides TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.Intel ® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. Foravailability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor series, not across different processorsequences. See http://www.intel.com/products/processor_number for details. Intel products are not intended for use in medical, life saving, life sustaining, criticalcontrol or safety systems, or in nuclear facility applications. All dates and products specified are for planning purposes only and are subject to change without noticeOn Slide 4, the sources are as follows:1)Source: http://www.theregister.co.uk/2009/06/08/webhost_attack/2)Source: http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240On Slide 10, the sources are as follows:3)World-record virtualization performance claim based on all published VMmark* 1.x results on http://www.ideasinternational.com/Benchmark-Top-Ten/VMmark-1-x. Top-ranked FujitsuPRIMERGY* RX600 S5 uses four Intel® Xeon® processor X7560 (24M cache, 2.26GHz, 6.40GT/s Intel QPI). Software and workloads used in performance tests may have been optimized forperformance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, andfunctions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplatedpurchases, including the performance of that product when combined with other products.4)No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® VirtualizationTechnology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires thesystem to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security5)Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available onselect Intel® Xeon® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others.
  • VOTE• With regards to cloud computing, I am most concerned about the following issue: − Compliance − Multi-tenancy − Audit − Data Protection − All of the aboveCopyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others. View slide
  • Security in the Cloud Virtualization vs. Security Benefits Needs “Webhost hack wipes out data for 100,000 sites New security requirements Vaserv suspects zero-day for cloud & virtualization: virtualization vuln” —The Register1 “IT ops, security pros at odds • Abstraction of physical hardware over virtualization risks • Multi-tenancy movement IT pros upbeat about virtualization, whereas security experts harbor implicitly require audit & security doubts about the security role the hypervisor can play” —IDG News Service2 Cloud & Virtualization Break Many Traditional Perimeter-oriented Security TechniquesCopyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others. View slide
  • Cloud 2015 Vision FEDERATED AUTOMATED Share data IT can focus securely across more on public and innovation and private clouds less on management CLIENT AWARE Optimizing services based on device capabilityDesktops Laptops Netbooks Personal Devices Smartphones Smart TVs Embedded Open & Interoperable Solutions EssentialCopyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others.
  • From Vision to Action Helping Cloud Service Providers on Path to Cloud 2015 Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without6 notice. * Other brands and names maybe claimed as the property of others.
  • Intel Platform Technologies Intelligence Built-in for Cloud Computing Demands Compute Intel® Xeon® processors E7 & 7500 Series with Hardware-based Security Result: Helps Provider Meet Service Level Agreements Performance for Workload agility Simpler & Lower Cost Network Storage 10Gb Ethernet with Open platforms and built-in support for performance unified fabric breakthroughs (SSDs)Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others.
  • Cloud Security Services Enhanced by Intel-based Technology Encrypt in the Cloud Trust the Cloud Use encryption to protect data Establish a trusted foundation Connect to the Cloud Audit the CloudEstablish / verify identities & federate Build higher assurance into audit Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
  • Intel-based Technology Establishing Foundation for More Secure Clouds Encrypt Intel® AES-NI Isolate Comply Intel® VT & Intel® TXT Intel® TXT VM 1 VM 2 VM 1 VM 1 VM 2 VMM Intel® TXT ?? VMM Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without9 notice. * Other brands and names maybe claimed as the property of others.
  • Great Collaboration with OpSource Cloud Services Powered by Intel® Xeon® processor 7500 & E7 Series − Intel Xeon processor E7 series delivers world-record virtualization performance while delivering higher VM densities than any other industry- standard server in the market today3 State of the Art Hardware-based Security Technology − Working with Intel on hardware-based security such as Intel® Trusted Execution Technology4 that can be used to verify the trustworthiness of a platform Foundation for High Reliability − Intel Xeon processor E7 series delivers extraordinary server reliability with automatic detection and correction of errors and interconnect error detection and recovery − Helps Opsource deliver on high-availability and cloud performance claims With Intel technology, OpSource can enhance security, meet demanding customer requirements & drive competitive pricesCopyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others.
  • Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing 9/14/2011 John Rowell, CTOSlide 11 © 2011 OpSource, Inc. All rights reserved.
  • OpSource: Enterprise Cloud and Managed Hosting• OpSource provides Enterprise Cloud and Managed Hosting Services• Solutions for Enterprise, SaaS, Service Providers (Telecom and Cloud Platforms)• A Dimension Data Company• Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore• Unmatched Industry Experience – SaaS Hosting and Scaling Software-Oriented Architectures (SOA) – High Performance, Secure Cloud ComputingSlide 12 © 2011 OpSource, Inc. All rights reserved.
  • Polls Show Security as Top Concern about Public Cloud• 64% of IT Bosses express concerns about whether corporate data would be secure inside cloud service providers datacenters – Forrester Research• 56% of CFOs had not invested in public cloud services because of fears over the security of sensitive data - SunGard Availability Services Poll Gartner 2009 PollSlide 13 © 2011 OpSource, Inc. All rights reserved.
  • Security is a Challenge for Utility Cloud PlatformsSlide 14 © 2011 OpSource, Inc. All rights reserved.
  • Defense-in-Depth Security Applied to the CloudDefense in depth is a best practice in which multiple layers ofsecurity controls (defense) are implemented to provide redundancyin the event a security control fails or a vulnerability is exploited. Layers of Defense IDS / IPS Segmentation - VLAN - Firewall Authentication and Access Control Data Encryption Incident Response Physical Data Center Security Monitoring and TuningSlide 15 © 2011 OpSource, Inc. All rights reserved.
  • Defense #1: Intrusion Detection System• Fully-managed Intrusion Detection System (IDS) utilizing signature, protocol and anomaly based inspection methodsSlide 16 © 2011 OpSource, Inc. All rights reserved.
  • Defense #2: Network Segmentation Provides Security Controls• Customer Controlled Network Configuration – configurable Layer 2 VLANs: – Provide segmentation of public and private IP space – NAT and VIP functions expose only those IP addresses you want made public• Customizable ACL-based firewall rules allow control of access into each network VLAN: – Build multi-tier network architectures to separate data tiers from front-end web tiers to provide an additional layer of firewall rules to protect data Slide 17 © 2011 OpSource, Inc. All rights reserved.
  • Defense #3: Authentication and Access Controls • VPN access for administration of all servers • Unique username and password for multiple administrators • Role-based permissions allow cloud administrators to create sub-admins to manage only certain resources, such as servers, storage or networks • Audit logs and reportingSlide 18 © 2011 OpSource, Inc. All rights reserved.
  • Defense #3 (con’t): Authentication and Access Controls• Intel® TXT establishes a “hardware root of trust” that can be used to verify the trustworthiness of a platform4• Applications for cloud computing • Base migration and workload placement decisions on the trustworthiness of the infrastructure • Control cloud workloads Slide 19 © 2011 OpSource, Inc. All rights reserved.
  • Defense #4: Data Reliability & Security• The Intel® Xeon® processor E7 family offers an extensive and robust set of RAS features in silicon to provide error detection, correction, containment, and recovery in all processors, memory, and I/O data paths• VPN Access• Data stored with 256-bit encryption at rest and 128-bit SSL encryption while in transit• Working with Intel on utilizing Intel® Advanced Encryption Standard - New Instructions to reduce the performance penalties usually experienced with pervasive encryption5Slide 20 © 2011 OpSource, Inc. All rights reserved.
  • Defense #5: 24x7 Incident Response• Incident Response Teams handle reports of security incidents. An OSIRT will escalate the incident to law enforcement and/or executive management as prescribed in security policies 24 x 7 x 365Slide 21 © 2011 OpSource, Inc. All rights reserved.
  • Defense #6: Datacenters – The Physical Security of theCloud• Meet or Exceed Tier III Standards (highest commercially available datacenter rating)• All areas within facility are monitored with CCTV and onsite guards 24x7x365 surveillance and audit logs• Multiple layers of biometric two-factor authentication restricts accessSlide 22 © 2011 OpSource, Inc. All rights reserved.
  • Defense #7: Monitoring and Tuning• Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing industry leading Arbor Networks Peakflow• Compares real-time network traffic against baseline definitions of normal network behavior, immediately flagging all anomalies due to security hazards such as: – Denial of Service (DoS) attacks – Distributed Denial of Service (DDoS) attacks – Worms or botnetsSlide 23 © 2011 OpSource, Inc. All rights reserved.
  • OpSource’s Approach to Ensuring Security• Defense in depth is a best practice Layers of Defense with multiple layers of security IDS / IPS controls Segmentation - VLAN – Cisco hardware-based networking - Firewall – As part of best practice, intelligent Authentication and Access servers are needed to secure clouds Control – Intel technology helps provide Data Encryption foundation for Trust, Security, & Incident Response Compliance with Intel® TXT and Physical Data Center Security Intel® AES-NI Monitoring and Tuning – Increases confidence that your data in the cloud is safe and secure Slide 24 © 2011 OpSource, Inc. All rights reserved.
  • Setup a Cloud Network to Secure Your EnvironmentSlide 25 © 2011 OpSource, Inc. All rights reserved.
  • Setup and Manage Cloud Servers Network: Cisco-based firewall, VLAN, VPN and load balancing included User Management: Role-based user controls; activity and usage reporting Support: 24x7 phone support included; Managed Services Flexibility: 1-8 CPU, 1-64GB RAM, 50GB-2.5TB local disk Hybrid: Ability to deploy dedicated and cloud serversSlide 26 © 2011 OpSource, Inc. All rights reserved.
  • Compliance Enhances Trust• Yearly certification and compliance audits to ensure security HIPAA Business AssociateSlide 27 © 2011 OpSource, Inc. All rights reserved.
  • VOTE• Learning about how OpSource secures their cloud solution, including the use of Intel Technology has − Significantly increased my level of interest in OpSource’s Cloud Solutions − Slightly increased my level of interest in OpSource’s Cloud Solutions − Has not changed my level of interest in OpSource’s Cloud SolutionsCopyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and othercountries. All dates and products specified are for planning purposes only and are subject to change withoutnotice. * Other brands and names maybe claimed as the property of others.
  • Continue ConversationJohn RowellChief Technology OfficerOpSourceTwitter: @johnrowellPaul SathisDirector, Cloud Computing,Intel AmericasIntel CorporationTwitter: @paulinthehouse