Your SlideShare is downloading. ×
A Plan to Control and Protect Data in the Private and Public Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

A Plan to Control and Protect Data in the Private and Public Cloud

1,226
views

Published on

Despite cloud computing’s maturation as an enterprise IT application or infrastructure option, IT management concerns persist, notably in the areas of security, IT governance, and business continuity. …

Despite cloud computing’s maturation as an enterprise IT application or infrastructure option, IT management concerns persist, notably in the areas of security, IT governance, and business continuity. The speaker will focus on security and data governance issues regarding deployment of private, hybrid and public clouds, and offer a pragmatic plan for resolving these concerns. This plan navigates the tangle of security responsibilities between enterprises and cloud service providers to enable IT managers to leverage the economics and flexibility provided by cloud-based applications. The plan focuses on how companies can create secure spaces in the cloud and both protect and control data in those spaces.

Todd Thiemann ,. Senior Director, Datacenter Products, Trend Micro, Inc.

Todd Thiemann has been with Trend Micro for over eight years and is currently responsible for planning Trend Micro’s products and technologies designed to secure datacenter information including virtualization and cloud security, DLP, and encryption. Todd is also co-chair of the Cloud Security Alliance Solution Provider Forum.

Todd holds a BS degree from Georgetown University and an MBA from the Anderson School of Business at the University of California, Los Angeles.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,226
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
81
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright 2009 Trend Micro Inc. 0 A Plan To Control and Protect Data in the Private and Public Cloud Todd Thiemann • Senior Director, Datacenter Security Trend Micro
  • 2. Copyright 2009 Trend Micro Inc. Why virtualization & cloud matters Speed and Business Impact Expertise and Performance Cost Reduction 1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious and enterprise-wide cloud strategy, then by year-end the odds are good you'll no longer be a CIO. “Global CIO: The Top 10 CIO Issues For 2010” InformationWeek, 21 December 2009
  • 3. Copyright 2009 Trend Micro Inc. Virtualization & Cloud Have Management Attention Trend Micro Confidential10/12/2010 2 Source: “The 2010 Gartner Scenario: The Current State and Future Directions of the IT Industry”, Gartner 14 June 2010
  • 4. Copyright 2009 Trend Micro Inc. Realized Benefits of Cloud Computing Enterprises Reducing Costs, Increases Agility Pharmaceutical R&D and The Cloud “Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific collaboration and computations … because they empower many subsets of users.” SearchCIO.com, 30 July 2009 Public Cloud for Backup & Storage Using public cloud services, GE reduced backup costs by 40% to 60%, created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009) Gartner Top 10 Strategic Technologies in 2010 “Cloud Computing. Organizations should think about how to approach the cloud in terms of using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009 Cloud Computing & Security “CISOs and Security Architects: Don't let operations-led projects lower your security profile. Engage in a discussion of the issues now, not after the fact.” Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009)
  • 5. Copyright 2009 Trend Micro Inc. 4 Security and privacy were the foremost concerns by far, with a weighted score higher than the next three (performance, immaturity and regulatory compliance) combined. Gartner (April 2010) Security: the #1 Cloud Challenge Classification 10/12/2010
  • 6. Copyright 2009 Trend Micro Inc. 15% 30% 70% 85% Phase 1 Consolidation DC Consolidation - Non-mission critical base applications - Standardized hypervisor - Simple VM Management Public and private cloud - Multi-hypervisor -Virtualized storage -Multi-tenancy -Workload Management -Dedicate or Burst to public Phase 3 Private > Public Cloud Mission critical applications & Endpoint Control - Performance becomes critical -API and advanced management use VDI sampling -Enhanced Compliance controls Servers Desktops Phase 2 Expansion & Desktop “Typical” Customer Virtualization Evolution
  • 7. Copyright 2009 Trend Micro Inc. The Evolving Datacenter Lowering Costs, Increasing Flexibility Classification 10/12/2010 6 Physical Private Cloud Public Cloud Virtual Outsourced •Metered •Shared Resources •Data Mobility Consolidation •Cost Center •Single Hypervisor •Data per AppTraditional Datacenter Multi-Tennant •Charge Back •Multi-Hypervisor •Data Sharing Infrastructure Security and Data Protection must keep up with Cloud Evolution
  • 8. Copyright 2009 Trend Micro Inc. 7 Phase 1 Security Challenge Perimeter-only (“Outside-in”) approach together with rapid virtualization have created less secure application environments Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace. “Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010
  • 9. Copyright 2009 Trend Micro Inc. Phase I: The virtual datacenter is very dynamic ! 8 Hypervisor Inter-VM attacks PCI Mobility Cloud Computing New Challenges Require a New Security Architecture
  • 10. Copyright 2009 Trend Micro Inc. Virtual Machines Need Specialized Protection Same threats in virtualized servers as physical. New challenges: 1. Instand-on/Dormant VMs 2. Resource contention 3. VM Sprawl 4. Inter-VM traffic 5. vMotion      9
  • 11. Copyright 2009 Trend Micro Inc. Virtualization Security Foundation “Secure the workload” App3 OS3 VM3 App1 OS1 VM1 Hypervisor VM & Network Security Integration Self-secured workload App FW, IPS, AV…
  • 12. Copyright 2009 Trend Micro Inc. Customers most common Phase I concern: Instant-on or unmanged VMs & Patching • Determines missing patches and existing vulnerabilities – Operating System – Common desktop applications • Recommends set of lightweight, fast-to-deploy filters – Virtually patches the vulnerabilities – Zero-Day protection – Reports on attempts to exploit vulnerabilities • Removes filters as soon as the patch is deployed Virtual patch endpoints until patch is ready Without exposing them to exploits
  • 13. Copyright 2009 Trend Micro Inc. “Inside-out” Protection Model for Physical, Virtual and Cloud Computing “De-Militarized Zone” (DMZ) Mission Critical Servers Business Servers FirewallIPS Firewall NIPSIPS Firewall File Integrity Monitoring Log Inspection IDS / IPS Trend Micro Deep Security Provides A Secure Container for Applications and Data
  • 14. Copyright 2009 Trend Micro Inc. 15% 30% 70% 85% Stage 1 Consolidation DC Consolidation - Non-mission critical base applications - Standardized hypervisor - Simple VM Management Stage 2 Expansion & Desktop Mission critical applications & Endpoint Control - Performance becomes critical -API and advanced management use VDI sampling -Enhanced Compliance controls Servers Desktops Hybrid and selected public cloud - Multi-hypervisor -Virtualized storage -Workload Management -Burst to public Stage 3 Private > Public Cloud GET TECHIE “Typical” Customer Virtualization Evolution
  • 15. Copyright 2009 Trend Micro Inc. 14 Phase 2: Security Challenge ”Virtually unaware” traditional security architectures eliminate the benefits of VDI and virtualized mission-critical applications
  • 16. Copyright 2009 Trend Micro Inc. Phase II Server Performance 15 App OS ESX Server App OS App OS VMsafe APIs Security VM Firewall IDS / IPS Anti-Virus Integrity Monitoring • Protect the VM by inspection of virtual components • Unprecedented security for the app & data inside the VM • Complete integration with, and awareness of, vMotion, Storage VMotion, HA, etc.
  • 17. Copyright 2009 Trend Micro Inc. Phase II: Securing virtual desktops (VDI) • Malware risk potential: Identical to physical desktops – Same operating systems – Same software – Same vulnerabilities – Same user activities => Same risk of exposing corporate and sensitive data • New challenges, unique to VDI: – Identify endpoints virtualization status – Manage resource contention • CPU • Storage IOPs • Network
  • 18. Copyright 2009 Trend Micro Inc. • The “9-AM problem” – Multiple users log in and download updates at the same time • “AV-Storms”, Scheduled scans – Adds significant load to the endpoint – Multiplied by number of VMs Cumulative system load Existing Endpoint Security Induces Resource Contention and Limits Desktop Virtualization Benefits Phase II: IT Environment Changes Challenge: Resource Contention with VDI
  • 19. Copyright 2009 Trend Micro Inc. Phase II Security has to have VDI-Intelligence • Detects whether endpoints are physical or virtual – With VMware View – With Citrix XenDesktop • Serialize updates and scans per VDI-host – Controls the number of concurrent scans and updates per VDI host – Maintains availability and performance of the VDI host – Faster than concurrent approach • Leverages Base-Images to further shorten scan times – Pre-scans and white-lists VDI base-images – Prevents duplicate scanning of unchanged files on a VDI host – Further reduces impact on the VDI host • Can be done agentlessly as well
  • 20. Copyright 2009 Trend Micro Inc. Summary of Phase II Solutions • Light and lean agents when deep visibility is required – Using cloud-client architecture • Agent-less option for application & server performance – Using virtualization APIs • Architecture optimizes performance across entire infrastructure – Processes are “virtually-aware” across CPU, network, and storage Trend Micro Confidential10/12/2010 19
  • 21. Copyright 2009 Trend Micro Inc. 15% 30% 70% 85% Phase 1 Consolidation DC Consolidation - Non-mission critical base applications - Standardized hypervisor - Simple VM Management Phase 2 Expansion & Desktop Mission critical applications & Endpoint Control - Performance becomes critical -API and advanced management use VDI sampling -Enhanced Compliance controls Servers Desktops Hybrid and selected public cloud - Multi-hypervisor -Virtualized storage -Workload Management -Burst to public Phase 3 Private > Public Cloud GET TECHIE “Typical” Customer Virtualization Evolution
  • 22. Copyright 2009 Trend Micro Inc. Phase III: Virtualized Storage and Multi-tenancy Creates Data Protection Nightmares Classification 10/12/2010 21 Perimeter Public and Private CloudDatacenter Strong perimeter security No shared CPU No shared network No shared storage Weak perimeter security Shared CPU Shared network Shared storage Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers Hypervisor Company1 App2 App1 App3 App1 App2 App3 App4 App5 Appn Company2 Company3 Company4 Company5 Companyn Hypervisor …
  • 23. Copyright 2009 Trend Micro Inc. 22 Phase 3: Security Challenge How do I protect data in a virtualized and multi- tenant storage environment (private, hybrid, or public cloud) ?
  • 24. Copyright 2009 Trend Micro Inc. Who Has Control? Servers Virtualization & Private Cloud Public Cloud PaaS Public Cloud IaaS End-User (Enterprise) Service Provider Public Cloud SaaS 23Trend Micro Confidential 10/12/2010
  • 25. Copyright 2009 Trend Micro Inc. Amazon Web Services™ Customer Agreement 24 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (3 March 2010) The cloud customer has responsibility for security and needs to plan for protection. Trend Micro Confidential10/12/2010
  • 26. Copyright 2009 Trend Micro Inc. SecureCloud: Enterprise Controlled Data Protection for the Cloud 25 Patent pending Trend Micro technology enables enterprises to retain control of data in the cloud Trend Micro Confidential10/12/2010 25
  • 27. Copyright 2009 Trend Micro Inc. 26 All Phases: Architecture Security Challenge How do I bring it all together in a manageable way across virtualized, private and public cloud environments?
  • 28. Copyright 2009 Trend Micro Inc. A New Security Architecture For A New Era All environments should be considered un-trusted Users access app Image ensures data is always encrypted and managed Host defends itself from attack Encrypted Data Encryption keys controlled by you DC1, LAN 1 Cloud 2, LAN 1 Data Cloud 1, LAN 2 DC2, LAN 2 Data Public CloudDatacenter Data Trend Micro Confidential10/12/2010 27 Benefits •Facilitates movement between datacenter & cloud •Delivers security compliance through encryption •Enables portability between service providers •Ensures private data in public cloud
  • 29. Copyright 2009 Trend Micro Inc. Your data center is changing, have your security strategies changed accordingly? 1. Improve Server Defenses (supplement with IDS/IPS, FW, Application security) - Implement full audit and monitoring of virtualized environments 2. Leverage Vmware VMsafe-based and vShield Endpoint- based solutions for higher levels of security with simpler operations 3. Add virtualization-aware agents where needed 4. Ensure security solution is future-proofed for the private, public and hybrid cloud Classification 10/12/2010 28 Security Best Practices Recap
  • 30. Copyright 2009 Trend Micro Inc. Thank You
  • 31. Copyright 2009 Trend Micro Inc. Cloud Computing Compromises Salesforce.com security breached. Repeatedly hacked (Washington Post) Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service attack (The Register) Oct 2009: Google Gmail hacked by attacks originating in China (Financial Times) Jan 2010: Oct 2007: 30 Enterprise security challenges continue in the cloud