Layer 7: Cloud Security For The Public Sector

Cloud Security for Public Sector Tower Club Presented by: Adam Vincent, CTO Public Sector, Layer 7 Technologies avincent@gov.layer7tech.com

In the Cloud Risks to Cloud Consumers: • Security and Privacy – how can I be sure that my data and applications will be secure? • Business Continuity – what happens if my Internet provider or cloud provider goes down? • Business Value – how can I be sure my cloud service provider is meeting my SLA? • Compliance – how can I ensure regulatory/legal compliance? “Sharing the Cloud” 2 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

Traditional Information Assurance - Multi-Tenant Multi-Tenant Cloud Environments = Problem Cloud Consumers 3 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

Introducing New Risk: Cloud Attack Surface Enterprise Enterprise Enterprise Perimeter Zone Internet Zone Perimeter Zone Internet Zone Perimeter Zone Internet Zone Traditional Software/OS & Perimeter Defense ApplicationZone Perimeter Zone ApplicationZone Perimeter Zone ApplicationZone Perimeter Zone Virtual Server Zone Application Zone Virtual Server Zone Application Zone Virtual Server Zone Application Zone Cloud API’s & Governance Shared API’s & Cloud Governance vulnerabilities Hypervisor Exploitation Shared Hypervisor Hardware Exploitation Shared Hardware & Supply Chain Insider Threat Shared People 4 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

Introducing New Risk: When the Cloud Attacks Leveraging the Cloud Nefariously: • Denial of Service – how can I be sure that my cloud is not being used to launch a DoS? • Cryptographic Analysis– how can I be sure that my cloud isn’t working towards breaking someone's encryption? • Command & Control – how can I ensure that my cloud is not providing an adversary a platform to monitor and control a cyber attack? “Responsibility for Good not Evil” 5 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

Example: Thunderclap Proof of Concept Thunderclap – “Cloud Computing – A Weapon of Mass Destruction? (DEFCON 2010)” • Proof of Concept showing how DDoS attack could be run from the cloud Value Proposition (my interpretation) • Performance: Massive Bandwidth & Power = Plentiful • Up Front Cost: Stolen Credit Card Number = Free • Time: Little to none once initial R&D is completed = Time for hobbies • Value: Charge $$$ to highest bidder = Make massive profit Conclusion: Not a bad business model! 6 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

Conclusions  Cloud provides a powerful & agile capability for small, medium, and large businesses.  Cloud Consumers - Connect: “your cloud capabilities” to current information assurance/cyber defense solutions & requirements - Protect: “your cloud capabilities” from the threat of shared governance, API’s, networks, virtualization platforms, and hardware  Cloud Providers - Control: “your cloud infrastructure” with detection and discovery to ensure that it isn't being abused, directed against others, compromised or used for free Layer 7 Technologies: CloudSpan products: CloudConnect, CloudProtect and CloudControl help organizations at each stage of their cloud adoption curve, from consuming SaaS services, to running applications securely in the cloud, to becoming a provider of cloud and SaaS services. 7 Adam Vincent, CTO Public Sector | avincent@gov.layer7tech.com | www.layer7tech.com

http://www.layer7tech.com	338
http://www.layer7.com	126
http://layer7.com	17
http://gov.layer7tech.com	1

Layer 7: Cloud Security For The Public Sector

by Layer 7 Technologies on Aug 20, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 482

Statistics

Layer 7: Cloud Security For The Public Sector — Presentation Transcript