Projecting Enterprise Security
Requirements on the Cloud
Case Study-




                                                 ...
Topic Agenda




•   Enterprise Risk Factors & Criteria
•   What can Enterpise Control             Enterprise
            ...
Potential Risk- Illustrated




                                                   Amazon Ec2
             Keys to the Cas...
Potential Risk- Illustrated




                                           Amazon Ec2




Rogue Image Trojan
Injected Amon...
Potential Risk- Illustrated

     Virus replayed back
     in Enterprise



                                      Amazon E...
Enterprise Risks & Security Interests

Risk                         Enterprise     Provider

Insecure, Porous APIs        ...
Where does Control Lie?

                                         Provider
                                               ...
DMTF Cloud Standards
SNIA Cloud Standards
Cloud -                   Eucalyptus
                                                             Cloud Client
           ...
Slide 10

KA3        Fix box titles
           Kelly Anderson, 21/05/2010
Basic Model

                                                                                Cloud Provider



           ...
Cloud Access through a Broker

                                                                                           ...
#1 – Broker as Management Entry Point


                                                                         Cloud
   ...
#2 –Broker as Outbound PEP

                             Dynamic
Enterprise                   Perimeter
Consumer


       ...
Public Cloud & SaaS
Private Cloud Virtual Gateway Usage Model

                                                                               ...
CloudBurst Security Using Virtual Gateway

  3. Local
     Authentication
                                                ...
More Information on Intel SOA Expressway & Cloud
                                                        w
               ...
Questions?



Click on the questions tab on your screen, type in your question, name
                   and e-mail address...
Upcoming SlideShare
Loading in...5
×

Projecting Enterprise Security Requirements on the Cloud

1,075
-1

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,075
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Projecting Enterprise Security Requirements on the Cloud

  1. 1. Projecting Enterprise Security Requirements on the Cloud Case Study- Cloud Presented by: Billy Cox– Director Cloud Computing Strategy, Intel Blake Dournaee– Product Manager & Author- SOA Demystified, Intel
  2. 2. Topic Agenda • Enterprise Risk Factors & Criteria • What can Enterpise Control Enterprise Requirements • Emerging Standards & Models • What Can be Done Today • Summary of Intel Cloud Capabilities
  3. 3. Potential Risk- Illustrated Amazon Ec2 Keys to the Castle Basic Auth Enterprise Credentials Compromised For Access Enterprise VM Images
  4. 4. Potential Risk- Illustrated Amazon Ec2 Rogue Image Trojan Injected Amongst Enterprise VMs
  5. 5. Potential Risk- Illustrated Virus replayed back in Enterprise Amazon Ec2 Data sent and lost to unknown source
  6. 6. Enterprise Risks & Security Interests Risk Enterprise Provider Insecure, Porous APIs Major Risk Man in the middle, content threats, code injection, DoS attacks Don’t care. API security converges along with market price Logical Multi-Tenancy Unknown Risk Virtual machine attacks, malicious code, comingled data Don’t care. Security of the multi-tenant architecture is a problem for [Insert Hypervisor Vendor Name] to solve. Oh, and trust us that your data is separate from your neighbor Data Protection and Major Risk Reduced confidentiality for private data stored in the clear at the cloud provider Leakage Opposite incentive. Clear text data allows me to provide increased functions based on search Data Loss and Reliability Major Risk Unavailability or loss of critical enterprise data Care a little. Infrastructure reliability is guaranteed according to my SLA, plus you get a refund if we mess up ☺ Audit and Monitoring Major Risk Rogue uses of cloud services in Enterprise Care a little. I will provide basic monitoring of infrastructure but the rest is up to you Cloud Provider Insider Unknown Risk Mismatched security practices at CSP creates a weak link for attackers Threats Don’t care. We are secure enough. Just trust us. Account Hacking, Access Major Risk Coarse access control at CSP increases the value of a stolen account Control, and Authorization Care a little. AAA mechanisms must be good enough to support my SaaS app. It’s your job to map to our way of handling identities.
  7. 7. Where does Control Lie? Provider Enterprise Four of the seven risks are directly under the enterprise control • Insecure, Porous APIs • Data Protection and Leakage • Audit and Monitoring • Account Hacking, Access Control, and Authorization Short of a boycott, the remaining 3 are largely out of control… • Logical Multi-Tenancy • Data Loss and Reliability • Cloud Provider Insider Threats
  8. 8. DMTF Cloud Standards
  9. 9. SNIA Cloud Standards
  10. 10. Cloud - Eucalyptus Cloud Client Customer (consumer) Network Lab Infrastructure Eucalyptus Cloud Bulk Storage Infrastructure iSCSI Walrus Caching Router Cloud Storage Storage Proxy Controller Service Server Cluster block storage and compute Block Block Power managers Cluster Storage Cluster Storage Controller Power Controller Controller Controller Manager Management Node Node Controller Controller Node Node Controller Controller KA3 Node Node Controller Controller Node Node Controller Compute Clusters Controller Node Node Controller Controller
  11. 11. Slide 10 KA3 Fix box titles Kelly Anderson, 21/05/2010
  12. 12. Basic Model Cloud Provider Web Service Request UDDI or Resource Enterprise Credentials & Policies User User Credentials & Policies IdM Security Profile Internal IdM • Authentication token • Customer access control policies • Customer data protection policies
  13. 13. Cloud Access through a Broker Cloud Service Cloud Broker Provider Broker Token Web UDDI or Service UDDI or Resource Resource Enterprise Request Credentials Broker & Policies Credentials User Broker User & Policies Credentials Credentials & Policies & Policies IdM Security Security Profile Profile Internal IdM Internal IdM External IdM
  14. 14. #1 – Broker as Management Entry Point Cloud Provider Cloud Mgr Cloud Site 1 Enterprise Consumer Request Service Gateway Cloud Site 2 IdM Identity Reference Cloud Site 3 • Entry point for cloud management (not data, only mgmt) • Single point of entry and validation for all sites and Cloud Consumers • Consistent credentials validation
  15. 15. #2 –Broker as Outbound PEP Dynamic Enterprise Perimeter Consumer Private Cloud Cloud Provider 1 User User Cloud Provider 2 User UDDI or Resource • Cloud customer accesses multiple clouds • Internal users don’t want to see that complexity • Broker directs based in policy and converts protocols as necessary • Secures provider access credentials
  16. 16. Public Cloud & SaaS
  17. 17. Private Cloud Virtual Gateway Usage Model Private 3. SOAP, REST or JSON SAML Response Cloud 1 Enterprise Service Virtualization 2. Virtualize, Load Balance, Firewall, Generate SAML Token Portal & CRM App Partner Private Cloud 2 IdM , Active API & Token Broker Directory, ABAC 1. User AuthN/Auth- SOAP/REST, Kerberos, Basic Auth, Siteminder, X.509 Dynamic Enterprise Perimeter In VPDC, Service Gateway protects access to Services, maps credentials, enforces ABAC, brokers protocols & formats
  18. 18. CloudBurst Security Using Virtual Gateway 3. Local Authentication 4. Mapped to an AWS Credential in Request for Resource 2. Locate Resource(s) Amazon EC2 Enterprise Storage Public Cloud Private IdM or Cloud Active Directory UDDI or API & HSM Resource Force.com Apps Portal or Web Public Cloud Dynamic Service Enterprise Perimeter 5. Generate SAML Request with Request for Resource to Force 1. Request with Credentials to Access a Resource Manage, secure, hide Cloud brokering complexity. Convert formats. Provide access control
  19. 19. More Information on Intel SOA Expressway & Cloud w er brings ne T his Intel pap ud Security detail to Clo t practices” Alliance bes vis – Jim Rea irector, Executive D ty Alliance Cloud Securi www.dynamicperimeter.com
  20. 20. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×