엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리

on

  • 691 views

 

Statistics

Views

Total Views
691
Views on SlideShare
691
Embed Views
0

Actions

Likes
0
Downloads
21
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리 Presentation Transcript

  • 1. Extending the Enterprise into the Cloud - Hybrid Infrastructure & Security Management Seoul, Korea COEX Convention Centre 24th October 2013
  • 2. Hybrid Cloud & the Enterprise Anthony Russell Technology Partner Manager – Amazon Web Services (APAC)
  • 3. How customers are using hybrid infrastructure Augment On-Premises resources with cloud capacity Migrate existing apps & data to the cloud Build new apps, sites, services & lines of businesses
  • 4. Shell uses AWS to Develop Software Faster and Cheaper Core Development Team Extra Development Resources Contractor Team Remote Team
  • 5. S&P Capital IQ Uses AWS for Big Data Processing S3 Provides data to 4200+ top global investment firms Hadoop Cluster Launched Hadoop faster, Learned Hadoop faster
  • 6. Shaw Media uses AWS for Disaster Recovery Before Primary site After Primary site Saved $1.8 Million in second site costs Disaster Recovery Site Snapshots for granular rollbacks
  • 7. Lionsgate uses AWS To host SharePoint & SAP Amazon VPC Avoided data center build out 50% lower cost than hosting options Saved $1M over 3 years
  • 8. How AWS enables the hybrid environment Deployment & Administration Application Services Compute Storage Networking AWS Global Infrastructure Database
  • 9. How you can extend your own on-premise environments into the AWS Cloud? Active Directory VMware Images VM Import/Export Your networks Virtual Private Network Your Data Cloud Storage Your Apps Your Data Centers Users & Access Rules Your Cloud Apps
  • 10. Extending the power of existing applications with AWS App 1 App 2 Compute Hadoop clusters Analytics Data Warehouses App 3 Backup Your Data Centers App N Storage and archives VPC
  • 11. Enterprise management & security objectives 1. Secure and robust infrastructure 2. Control access and authorisation 3. Keep track of assets and configuration 4. Governance across everything
  • 12. AWS supports your enterprise Cloud based security objectives AWS DirectConnect Amazon VPC Private connectivity between AWS and your datacenter Private, isolated section of the AWS Cloud with VPN connectivity AWS IAM (Identity & Access Mgmt) Manage users, groups & permissions AWS CloudFormation Templates to deploy & manage Web App Enterprise App Database
  • 13. Enterprise management & security objectives 1. Secure and robust infrastructure 2. Control access and authorisation 3. Keep track of assets and configuration 4. Governance across everything
  • 14. AWS offers global reach and high-availability US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) ASIA PAC (Sydney) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo)
  • 15. The AWS platform has strong security foundations • SOC 1 (SSAE 16 & ISAE 3204) Type II Audit (was SAS70) • SOC 2 Type 1 Audit • ISO 27001 Certification • Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • Cloud Security Alliance Questionnaire • MPAA (best practices for storage, processing, delivery) Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions
  • 16. Security is a shared responsibility with AWS Customer Facilities Network configuration Physical security Security groups Compute infrastructure Storage infrastructure Network infrastructure + OS firewalls Operating systems Applications Virtualization layer (EC2) Proper service configuration Hardened service endpoints AuthN & acct management Rich IAM capabilities = Authorization policies Security scope for customers is reduced Take advantage of high levels of uniformity and automation to enhance security posture when moving into the cloud
  • 17. AWS Partners help customers deploy & enhance their own controls AWS Partner Solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) + = Managed, secure hybrid customer solutions Hardened service endpoints Rich IAM capabilities AWS Partners Build on AWS strong foundations to complete the enterprise security solution
  • 18. Building secure, reliable connectivity to the hybrid environment
  • 19. Connect over the pubic Internet www Data center AWS Cloud
  • 20. Connect over industry-standard IPSEC VPN router router www AWS Cloud Data center IPSec tunnel via statically-routed or dynamicallyrouted (BGP) VPN
  • 21. Connect in private with AWS Direct Connect AWS Direct Connect Location Data center Amazon Partner Network suppliers can hook up the last leg AWS Cloud New York Los Angeles Washington DC San Jose Singapore Tokyo London Docklands Sao Paulo Sydney
  • 22. Building a secure hybrid environment with the AWS Virtual Private Cloud
  • 23. The AWS Virtual Private Cloud VPC A - 10.0.0.0/16 • VPC spans an AWS region – Customer chooses what geography their content resides • Customer chooses their own private IP address range Subnet 10.0.1.0/24 Availability Zone Router • Split the VPC into multiple internal public and private network segments • Retain full control over routing Subnet 10.0.2.0/24 Availability Zone Region
  • 24. Security Groups and Network Access Control Lists VPC A - 10.0.0.0/16 • – Stateful ingress and egress firewall rules – Granular – firewalls for every host in the VPC • Subnet 10.0.1.0/24 Router • Availability Zone Region Network Access Control Lists – Stateless network filter controls – Offer defence in depth over security groups Availability Zone Subnet 10.0.2.0/24 AWS Security Groups Duties can be controlled and segregated
  • 25. External VPC connectivity can be private or public • Customers are in full control of VPC external connectivity VPC A - 10.0.0.0/16 Internet • Internet connectivity is optional and disabled by default Internet Gateway Subnet 10.0.1.0/24 Availability Zone Router • Connect privately to on-premise systems over VPN or direct connect Customer Gateway Subnet 10.0.2.0/24 Availability Zone Region On-premise Data centres
  • 26. Partners build on top of the strong AWS baseline • Customers remain in control to implement their own security controls on top of the AWS environment • Trend Deep Security is a leading partner solution for host protection on the AWS environment in addition to intrusion detection & protection services • VPC A - 10.0.0.0/16 BMC integrate on-premise and cloud management and monitoring to provide a single pane of control for your hybrid IT solutions Subnet 10.0.1.0/24 Availability Zone Router Subnet 10.0.2.0/24 Availability Zone Region
  • 27. Enterprise management & security objectives 1. Secure and robust infrastructure 2. Control access and authorisation 3. Keep track of assets and configuration 4. Governance across everything
  • 28. Get fine-grained control of the cloud environment AWS IAM enables you to securely control access to AWS services and resources • Fine grained control of user permissions, resources and actions • Configure users, groups, roles • Several multi factor authentication options • Hardware token or smartphone apps • Create a private AWS console URL (http://aws.yourcompany.com)
  • 29. Enterprise management & security objectives 1. Secure and robust infrastructure 2. Control access and authorisation 3. Keep track of assets and configuration 4. Governance across everything
  • 30. Using CloudFormation to deploy AWS configurations Template CloudFormation Stack Configuration files Framework Configured AWS services Data centre configurations can be treated as version controlled configurations Stack creation Comprehensive service support Stack updates Service event aware Error detection and rollback Customisable
  • 31. Enterprise management & security objectives 1. Secure and robust infrastructure 2. Control access and authorisation 3. Keep track of assets and configuration 4. Governance across everything
  • 32. AWS governance augments existing processes … Your compute Your configurations AWS configurations Your network AWS network Your storage Your Data Centers AWS compute AWS Storage Your On-Premises Apps Your Cloud Apps Direct Connect } } Existing governance processes VPC AWS governance enablers
  • 33. … to give our customers governance over everything Governance processes Roles and responsibilities Configuration management Financial controls Monitoring and reporting Your Data Centers Secure processing, storage and transmission Network security Access control Identity and authorisation Visibility across the complete hybrid environment
  • 34. Trusted Advisor offers further governance review • Online service from AWS Support – Analyzes account for various kinds of issues and possible concerns – Soon available as an API for integration with your tools or 3rd party solutions • Four categories: – – – – Cost savings Security Fault tolerance Performance
  • 35. AWS Partners Complete the Picture AWS Partner Solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure + = Secure hybrid environments Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities AWS Partners Build on AWS strong foundations to complete the enterprise security solution
  • 36. Next Stop, Hybrid…… David Carless Cloud Computing Specialist – BMC Software (APAC)
  • 37. Two revolutions in IT right now
  • 38. REVOLUTION ONE The front end How services are consumed Its Mobile Its Social Expectations of IT have changed The Consumerization of IT
  • 39. •REVOLUTION TWO The back end How services are delivered Pay as you use Scale up Scale down Always on Immediately available Making IT fast, flexible and personal Physical Virtual IaaS PaaS SaaS
  • 40. Cloud is transforming the way we deliver IT The rise of the IT BROKER The Business IT / Cloud Management Platform Private Cloud SaaS Public Cloud 45 PaaS IaaS Legacy Apps
  • 41. Enterprise Hybrid Cloud is the Future Reality Public Clouds Internal Private Clouds Virtual Private Clouds Dedicated Infrastructure 46
  • 42. Why Enterprises are Embracing Cloud Computing Accelerate business Accelerate IT velocity Improve IT efficiency and effectiveness Enable innovation Enable alternative sourcing models based on economic, service level and compliance requirements Response to demand for“consumerisation” 47
  • 43. Cloud Spending Is On The Rise In 2013-2014 Public Cloud Spending 2013-2014 (Gartner/IDC): • 60% of Fortune 1000’s will increase current public cloud spend • Spend on public cloud services will grow 18% in 2013-2014 • $131B in 2013 - $180B expected by 2015!
  • 44. The cloud-enabled enterprise will be an agile, fierce competitor Current Future • Fixed Costs • ‘Pay by the Drink’ • Cumbersome • Responsive • Capital Intensive • Capital Light • High Maintenance and Run Costs • 40%+ Lower Maintenance and Run Costs • Security Issues • Managed Security • Business Lagging • Business Leading • Outdated • New Technologies The Agile Enterprise …Cloud is the “on-ramp” to the Agile Enterprise 49
  • 45. The Goals of a Hybrid IT Environment • • • • • • • • A seamless end-user experience regardless of how a service is provisioned Present users with a single unified request portal Instantly Deploy complete multi-tier applications Seamlessly incorporate Public Cloud providers into IT architecture Integrate with change and configuration management Maintain Security and Compliance across all available resource sets Optimize CapEx and OpEx to meet business goals While automation is key, the governance, people and process change is most significant Single Pane of Glass
  • 46. Misconception, Hybrid is not only “Cloudbursting”
  • 47. Hybrid IT Vision: Implementing IT Operations and Policies in a Software based Management Platform
  • 48. How do I make this work ? How do you empower users with self-service, implement cost effective sourcing strategies while maintaining Control and Governance…. What is the impact implementing a Hybrid environment with no change management ? ? What is the impact of implementing manual process to control my cloud ? How do I make this work ?
  • 49. Impact of Control & Governance for Cloud No Control & Governance Manual Control & Automated Cloud Governance Management Platform Speed X Cost X Control X Service Quality ? ?
  • 50. BMC & AWS Alliance ? 55
  • 51. BMC and Amazon Web Services join forces to deliver Managed Hybrid computing environments On Premise Resources • • • Amazon EC2 Amazon Elastic Block Storage Amazon Virtual Private Cloud Unified Management of the Hybrid Cloud • • • • • Self Service Management Service Management • Seamless provisioning • Integrated Service Catalogue Service Governance and control Ongoing performance optimization Monitoring and Analytics
  • 52. Cloud Management with BMC Software
  • 53. BMC Cloud Lifecycle Management CLM 3.0 End-to-end Cloud Management Platform Service Catalog Single self-service portal Dynamic Provisioning of Multi-tier Services Cloud Service Delivery Policy based Placement and Governance Compliance and Change Configuration Mgmt Resource Management Totally Heterogenous Avoid and “vendor lock in”
  • 54. BMC Cloud Lifecycle Management End-to-end Cloud Management Platform
  • 55. Single, Unified User Request BMC Cloud Lifecycle Management Provide AWS Service Options
  • 56. Automated provisioning of cloud services Provision complete cloud services with Post Deployment actions “No one wants an empty Ipad” From hardware… …To fully configured services Infrastructure • Physical machines • Virtual machines • Physical or virtual networks • Operating Systems Platforms • • • • • LAMP/WAMP IBM Websphere Microsoft SQL & .NET Oracle Databases Tibco Applications • • • • • Exchange Sharepoint COTS Custom Web App’s SAP /Oracle / etc Monitoring , compliance, configuration management Deliver a broad range of complete cloud services (With PDA) 61
  • 57. Aug 2013 Nov 2013 Feb 2014 Portal Enterprise Web & OS/MW/RTE Content available Microsoft IIS 7.x Microsoft IIS 8.x Mid Tier MYSQL SE/EE MYSQL CCE DB Tier SQL 2K8R2 SQL 2K12 Virtual Liferay Portal 6.x GWS WAS 7.x WAS 8.x JBoss AS 7.1 WildFly 8 5.6 vFabric tc Server Oracle 11g Oracle 11g RAC RH 5.8 RH 6.2 W2K8R2 W2K12 NXT GEN Apache http 2.4 Gitla b HANA Gitorious WAPP LAPP APACHE ZOOKEEPER ownCloud Alfresco CMS
  • 58. BMC Cloud Lifecycle Management End-to-end Cloud Management Platform
  • 59. Service Governance & Compliance Place cloud services with policies & capacity data Across private, public, and hybrid clouds
  • 60. Closed loop Compliance & Configuration Automation One platform for automation • Software packaging • Deployment • Patching • Policy management • Virtualization management Same solution for continuous compliance • Automated, periodic auditing • Automatic remediation generation • Reduced staff utilization • Consistent high levels of compliance • On-demand compliance reporting Unified architecture for configuration automation and compliance
  • 61. BMC Cloud Lifecycle Management End-to-end Cloud Management Platform
  • 62. Integrated and Automated Change Control Change Management 1. Simple integration 2. Agile, automated to IT release processes change management (e.g. standard change request to deploy a new cloud service) 3. “Embedded” change, patch, and incident processes (e.g. pre-approved change request to increase (e.g. drift mgmt, audit logging) capacity) 4. Enterprise Governance and Compliance (e.g. IT change policy adherence through automation)
  • 63. BMC Cloud Lifecycle Management End-to-end Cloud Management Platform
  • 64. BMC Software - AWS Resource Management capability Amazon Web Services •Fully Automated provisioning to AWS and support for provision, decommission, extend, start, stop, modify CPU/RAM •Full support for AWS VPC •Support for multiple regions and AZs •Multiple account management for AWS •Layered software deployments on top of AMIs •OOTB Content to create unique & “safe” MI’s •Clone AMIs associated with EBS •Specify AWS security groups •Support for Elastic IPs
  • 65. BMC Cloud Lifecycle Management End-to-end Cloud Management Platform
  • 66. Visibility of current and forecasted cloud capacity BMC Cloud Operations Management Monitor capacity utilization across data centers, private and public cloud infrastructures. Alert on upcoming saturation Perform what-if analysis for: • Expected growth rates • Unanticipated usage spikes • Changes to existing services Provide foundation for continued investment with utilization data by cloud service and users Prepare for cloud capacity demands and optimize investment decisions
  • 67. Real-time insight on health with cloud panorama BMC Cloud Operations Management • Identify performance issues • Determine impacted users and organizations • Isolate root cause • Trigger automated repair Prioritize and resolve issues based on service levels and business priorities
  • 68. Automated chargeback reporting for the business BMC Cloud Lifecycle Management records pricing in customer contract BMC Capacity Optimization • measures usage • reads service contract • calculates costs • produces reports by tenant and service level Accurately measure and charge for cloud resource consumption
  • 69. The Power of BMC - Pearson
  • 70. The Power of BMC - Pearson 50% Reduction in Global Time to Provision
  • 71. With both BMC Software and AWS, IT can deliver the benefits of Cloud Across both on-premise and AWS cloud services: • Reduce up-front capital expenditures while managing existing IT – Reduce operational expenditure by Automating repeatable tasks. – Centralise cost reporting of Hybrid IT environment. • • • • • • Provision (IAAS, SAAS, PAAS), configured applications stacks automatically Ensure reliable cloud service performance for all users and services Deliver role-based access through a business-friendly self-service portal in BMC Cloud Lifecycle Management Ensure appropriate automated or manual change approval Maintain configurations and compliance rules Unify operations management for hybrid IT Unified Management of Hybrid Environments
  • 72. SAFE CHOICE: A Mainstream Business for BMC BMC Cloud Lifecycle Management Customers Telco Clouds Service Provider Clouds Private Clouds
  • 73. Thank you
  • 74. Advanced Cloud Security for AWS Anthony Kim Sr. Engineer of Cloud Security Business TrendMicro (Korea)
  • 75. The Global Growth of Cloud Computing Copyright 2013 Trend Micro Inc. 80 80
  • 76. Source: Cloud Readiness Index 2012, Asia Cloud Computing Association Copyright 2013 Trend Micro Inc.
  • 77. Enterprises and the Cloud … • • Security & compliance are top priorities for enterprise-wide adoption of the cloud Are cloud security needs that different than on-premise? – Cloud introduces the concept of shared responsibility for securing their services and applications running in the cloud • Security is not the only inhibitor … – Many organizations are reluctant to change status quo • Fear of the unknown • Cloud concepts & terminology intimidating • IT job loss concerns • Dramatic change from a process & operations perspective … • Not sure how/where to get started … Copyright 2013 Trend Micro Inc. 8
  • 78. Cloud Security is a Shared Responsibility
  • 79. Consumer of Cloud Services Responsibilities • Consumers of cloud services are responsible for – Security of the VMs/Instances (OS & Applications) – Ensuring SLA’s are maintained – Ultimately it boils down to protecting your instances from compromise, the integrity of the applications and privacy of data in the cloud… • How do you protect AWS instances? – Traditional network appliances are not feasible • On-premise control rely on physical network access – Agent based host security controls required
  • 80. Need to Secure the Complete Journey to the Cloud The AWS Shared Responsibility Model OS Security  Application Security  OS Firewalls  Anti-Virus Integrity Monitoring  Storage Encryption Customer Domain Partner Eco-System Enterprise Applications  Facilities  Physical Security  Physical Infrastructure  Virtualized Infrastructure AWS Domain Enterprise Operating Systems
  • 81. Security Considerations in the Cloud
  • 82. Security Considerations in the Cloud Instance Awareness • Knowing that the instance is IN THE CLOUD • Understanding where the instance ‘lives’ and what its identity is • What security policies need to be applied?
  • 83. Security Considerations in the Cloud Scale & Automation • Next generation applications will be elastic by nature • Security also needs to be elastic • All components, including security, need to work in concert to be effective
  • 84. Security Considerations in the Cloud Complexity • Supporting large scale, distributed and even distinct cloud environments • Provides mitigation to ever-increasing vulnerabilities for applications & operating systems • Security to ensure confidentiality & integrity of data stored in cloud environment
  • 85. Security Considerations in the Cloud Data Access & Governance • How do I ensure my data confidentiality & integrity? • Adopt necessary technology control to meet data privacy Copyright 2013 Trend Micro Inc. 10010011 01101100
  • 86. Security Considerations in the Cloud  Security principles don’t change  Security policy don’t change  Implementation & management change  Extend your current security policy to the Cloud
  • 87. Practical Guidance for Security in the Cloud
  • 88. Cloud Security: Shared Responsibility What type of instance security controls are required? The Need Preferred Security Control Data confidentiality Encryption Block malicious software Anti-Malware Detect & track vulnerabilities Vulnerability scanning services Control server communications Host-firewalls Detect suspicious activity Intrusion Prevention Detect unauthorized changes File Integrity Monitoring Block OS & App vulnerabilities Patch & Virtual Patching Data monitoring & compliance Data Leakage Prevention
  • 89. Trend Micro Deep Security for AWS Next Generation Security for Hybrid Datacenter Deep Packet Inspection Defend against SQL injections attacks, cross-site scripting attacks & other web application vulnerabilities Virtual Patching (IDS/IPS) Web Application Protection Application Control Leading Anti-Malware for Virtualization & Cloud Anti-Virus Firewall Optimizes the identification of important security events buried in log entries Log Inspection Integrity Monitoring Provide vulnerability shielding to known & zero-day vulnerabilities Increased visibility into, or control over, applications accessing the network Reduces attack surface. Prevents DoS & detects reconnaissance scans Monitors critical operating system and application files for unexpected changes Hybrid Datacenter Physical Virtual Private Cloud Public Cloud
  • 90. Gartner Server Security Strategy From Gartner paper in decreasing order of importance) Trend Micro Deep Security capabilities Security configuration mgmt. Yes Patch mgmt. Yes (with Virtual Patching) Application control Yes File Integrity Monitoring (FIM) Yes Antimalware (file servers) Yes Deep Packet Inspection based HIPS Yes Antimalware (Windows) Yes Behavioural HIPS Yes Application firewalling Yes Traditional host based firewall Yes Device control - Full drive encryption Yes, with Trend Micro SecureCloud Removable device encryption -
  • 91. Trend Micro Deep Security as a Service* DS as a Service Manager Service DS as a Manager Service DS as a Manager Service DS as a Manager Protection for AWS Instances *Available in North America now, APAC in 2014.
  • 92. Which Deep Security version is for you? Buy Deep Security Software • Datacenter security requirements • Hybrid cloud environments • Prefer to run Deep Security Managers themselves • Require a solution now Buy Deep Security as a Service • • • • AWS only security requirement Prefer utility charging model Want the convenience of a SaaS Available in North America now, APAC in 2014
  • 93. Trend Micro SecureCloud for AWS Securing and Controlling Sensitive Data in the Cloud Encryption Credit Card Payment PatientSecurity Numbers Sensitive Research Results Social Medical Records with Policy-based Information Key Management • Unreadable for unauthorized users • Control of when and where data is accessed • Server validation • Custody of keys Encrypt throughout your cloud journey — data protection for physical, virtual & cloud environments Copyright 2012 Trend Micro Inc. 10/28/2013 99
  • 94. Trend Micro SecureCloud for AWS  Protection for data in the cloud  Automated encryption and key management  Solution that helps you protect the privacy of data in AWS, making sure that only authorized servers can access encryption keys.  Trend Micro’s highly automated data protection approach safely delivers encryption keys to valid devices without the need for you to deploy an entire file system and management infrastructure  Key benefits:  Policy-Based Key Management  Enterprise-Controlled Encryption and Key Management  Standard Protocols and Advanced Encryption  Authentication  Logging, Reporting, and Auditing  Separation of duties
  • 95. Why Trend Micro for AWS?  Amazon Advanced Technology Partner  Deep Security is Common Criteria EAL 4+  #1 in Server Security (2012 IDC–Worldwide Endpoint Security Revenue Share by Vendor, 2011)  #1 in Virtualization Security (2011 Technavio – Global Virtualization Security Management Solutions)  #1 in Cloud Security (2012 Technavio – Global Security World Market)  1st & only security that extends from enterprise datacenter to cloud  Optimized for AWS
  • 96. Thank you