Your SlideShare is downloading. ×
  • Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Layer 7 & Burton Group: New Cloud Security Model Requirements

  • 1,387 views
Published

Cloud Computing requires a new security architecture. Learn more in this presentation.

Cloud Computing requires a new security architecture. Learn more in this presentation.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,387
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
61
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Anne Thomas Manes New Security Models for the Cloud VP & Research Director amanes@burtongroup.com www.burtongroup.com Twitter: @atmanes November 19, 2009 All Contents © 2009 Burton Group. All rights reserved.
  • 2. Cloud Computing 2 The set of disciplines, technologies, and business models used to deliver IT capabilities (software, platforms, hardware) as on-demand, scalable, elastic services How can I Look more make this... like this?
  • 3. Security - Who is in control?
  • 4. What…Me Worry? • Public cloud’s multi-tenant, dynamic characteristics may put sensitive, or regulated data at risk • Vendor viability creates strategic risk • Denial of service attacks could create systemic risk • A lack of transparency and accountability about security from cloud vendors lowers IDC survey: 74% rate trust cloud security issues as “very significant”
  • 5. How’s the Public Cloud Security? Incidents • November 2007: Salesforce Staff Speared by Phishers • July, 2008 Hey Spammers, Get Off My Cloud! • March 2009: Google Privacy Blunder Shares Your Docs… • June 2009: Webhost hack wipes out data for 100,000 sites • October 2009: Amazon Web Services DDoS Attack And The Cloud • More at http://wiki.cloudcommunity.org/wiki/CloudComputing:Incidents_Database
  • 6. Service consumer Service request (console or API) Service Cloud Computing catalog Service interface Enterprise service management Enterprise service management Cloud Requires a New Virtual DC Virtual DC Virtual DC External application(s) Security Architecture Cloud OS Service bus External service • Virtual data centers Internal IT Cloud management provider • Service oriented organization Service interface Virtual infrastructure management interfaces • Next generation Traditional Virtual infrastructure Cloud OS operating systems and infrastructure Compute Network Storage Security Virtual infrastructure management tools Physical infrastructure Physical infrastructure Compute Network Storage Security
  • 7. Rethinking Security Architecture Security perimeters are changing • Activities and data move across open, untrusted networks • “Zones of trust” must become more logical than physical • Identity and application-aware firewalls • Security vendors must embrace virtualization security • Security management must span internal and external clouds
  • 8. Rethinking Security Architecture Service-oriented security and identity management • Security must span internal and external clouds • Service oriented interfaces must be secured • Existing domain access control must give way to standards-based identity services • Multiple sources of identity • Encryption and key management must “follow” sensitive data
  • 9. Security Zone Model 9 Zone definition: “A grouping of IT resources which may reside at multiple locations but have similar business communication and network protection requirements” Typical organization has equivalent of some or all of these zones * Audit zone optional
  • 10. Changing Zone Implementations 10 Physical view – “old school” zone implementation Separation between the enterprise resources (sites, servers, devices) and the untrusted zone accomplished by Perimeter Devices Enterprise Controlled/Owned Enterprise Controlled/Owned User Site Data Center Not necessarily secure protocols Monitoring and Enforce- Site to Site VPN ment Not or Private WAN Necessarily Access Server secure Perimeter “Farm” endpoint Internet
  • 11. Changing Zone Implementations 11 Physical view – “new school” zone implementation Separation between the enterprise resources (sites, servers, devices) and the untrusted zone accomplished by cryptography, e.g. Security Overlays Enterprise Controlled/Owned Data Center Secure Protocols Monitoring VPN and Any network or Or Proxy Enforce- site System End to ment Secure End Sec Endpoint (VPN client, End to Access Server system End Sec Perimeter “Farm” firewall, etc.) (resulting in this kind of topology)
  • 12. Dynamic Perimeter Enforcement 12 New model: Logical zones with dynamic perimeters • Numerous, coordinated endpoint security agents • Centralized policy controls connection rules • Smarter firewalls • Smarter switching fabric • Common theme: Multi-layer enforcement (L4 + L7) • Access decisions based on identity and application protocol, not just IP address and port
  • 13. Mutually Reinforcing SOA and Security 13 • SOA adds a new dimension to the security landscape • Loosely coupled connections • Requirements for cross-domain federation • Don’t assume the average developer understands all the issues • Don’t assume that all services can safely combine in all security contexts • Recommended strategy • Build on existing IdM strategy • Externalize security as much as possible (e.g. authentication, authorization, crypto, audit) • Combine transport-level and application-level protections • Use layered defenses • Establish good governance processes
  • 14. Applying SOA to Security 14 Layered defenses • Policy enforcement points (PEPs) as intermediaries and at endpoint s • Externalize security functions to the PEPs Firewalls (Perimeter PEPs) Service Service Service External Service Endpoint Endpoint Endpoint PEP PEP PEP External Service Centralized Intermediary Intermediary PEP PEP PEP External Service Endpoint Endpoint Endpoint External DMZ PEP PEP PEP Service Service Service Service
  • 15. Mediation in the Cloud 15 Cloud broker or gateway product Typical functionality • Secure communications • Multi-protocol • Enforce policy • Authentication Firewall • Access control • Logging and audit Cloud gateway Source of diagram: Layer7 (originally concerning the SecureSpan product)
  • 16. New Security Models for the Cloud 16 Recommendations and takeaways • Think “service-oriented” when you’re thinking cloud • Mutually reinforce SOA and security: • Secure communications methods • Layered defense • Good governance • Consider cloud brokers to enforce policies in the cloud
  • 17. New Security Model Requirements for the Cloud Enabling Safe Cloud Computing K. Scott Morrison CTO & Chief Architect
  • 18. Trust is the fundamental requirement of cloud computing
  • 19. Anne showed us we need to: Understand Risk Control Boundaries Trust is the measure of your confidence in these
  • 20. But How Do We Gain Control Over SaaS? Consider the degrees of freedom SOA offers us
  • 21. Pattern 1: Assert Outgoing Control Single Sign On Managed access to authorized services SLA enforcement Firewall Audit Directory NetOps
  • 22. Pattern 2: Manage Access to Corporate Resources Access Control Alarms and audit Safe routing DMZ Firewall Secure Zone Directory SaaS Application NetOps User
  • 23. How Do We Assert Control Over IaaS?
  • 24. Pattern 3: Manage Cloud-Based SOA Apps with Virtual PEP Hardware PEP Virtual PEP Cloud Services Identical Functionality Virtual PEP Hardware PEP Instances Secure Services, Not Networks
  • 25. What Does Layered Defense Look Like In The Cloud? Firewalls (Perimeter PEPs) Service Service Service External Service Endpoint Endpoint Endpoint PEP PEP PEP External Service Centralized Intermediary Intermediary PEP PEP PEP External Service Endpoint Endpoint Endpoint External DMZ PEP PEP PEP Service Service Service Service
  • 26. Zones of Trust ? Application- ? Layer ? Isolation, Monitoring, & Control ? ? Cloud Edge Virtual Secure Message PEP This is true SOA defense-in-depth
  • 27. This Is The Ultimate Realization Of SOA Visibility Security Control Cloud Governance is the evolution of SOA NetOps Governance
  • 28. For More Information: K. Scott Morrison Anne Thomas Manes Layer 7 Technologies Burton Group CTO and Chief Architect VP & Research Director smorrison@layer7tech.com amanes@burtongroup.com http://www.layer7tech.com http://www.brutongroup.com Twitter: @kscottmorrison Twitter: @atmanes