Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

A Plan to Control and Protect Data in the Private and Public Cloud

on

  • 1,368 views

Despite cloud computing’s maturation as an enterprise IT application or infrastructure option, IT management concerns persist, notably in the areas of security, IT governance, and business ...

Despite cloud computing’s maturation as an enterprise IT application or infrastructure option, IT management concerns persist, notably in the areas of security, IT governance, and business continuity. The speaker will focus on security and data governance issues regarding deployment of private, hybrid and public clouds, and offer a pragmatic plan for resolving these concerns. This plan navigates the tangle of security responsibilities between enterprises and cloud service providers to enable IT managers to leverage the economics and flexibility provided by cloud-based applications. The plan focuses on how companies can create secure spaces in the cloud and both protect and control data in those spaces.

Todd Thiemann ,. Senior Director, Datacenter Products, Trend Micro, Inc.

Todd Thiemann has been with Trend Micro for over eight years and is currently responsible for planning Trend Micro’s products and technologies designed to secure datacenter information including virtualization and cloud security, DLP, and encryption. Todd is also co-chair of the Cloud Security Alliance Solution Provider Forum.

Todd holds a BS degree from Georgetown University and an MBA from the Anderson School of Business at the University of California, Los Angeles.

Statistics

Views

Total Views
1,368
Views on SlideShare
1,368
Embed Views
0

Actions

Likes
1
Downloads
79
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A Plan to Control and Protect Data in the Private and Public Cloud A Plan to Control and Protect Data in the Private and Public Cloud Presentation Transcript

  • A Plan To Control and Protect Data in the Private and Public Cloud Todd Thiemann • Senior Director, Datacenter Security Trend Micro Copyright 2009 Trend Micro Inc. 0
  • Why virtualization & cloud matters Cost Reduction Speed and Business Impact Expertise and Performance 1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious and enterprise-wide cloud strategy, then by year-end the odds are good you'll no longer be a CIO. “Global CIO: The Top 10 CIO Issues For 2010” InformationWeek, 21 December 2009 Copyright 2009 Trend Micro Inc.
  • Virtualization & Cloud Have Management Attention Source: “The 2010 Gartner Scenario: The Current State and Future Directions of the IT Industry”, Gartner 14 June 2010 Trend Micro Confidential10/12/2010 Copyright 2009 Trend Micro Inc. 2
  • Realized Benefits of Cloud Computing Enterprises Reducing Costs, Increases Agility Public Cloud for Backup & Storage Using public cloud services, GE reduced backup costs by 40% to 60%, created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009) Pharmaceutical R&D and The Cloud “Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific collaboration and computations … because they empower many subsets of users.” SearchCIO.com, 30 July 2009 Gartner Top 10 Strategic Technologies in 2010 “Cloud Computing. Organizations should think about how to approach the cloud in terms of using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009 Cloud Computing & Security “CISOs and Security Architects: Don't let operations-led projects lower your security profile. Engage in a discussion of the issues now, not after the fact.” Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009) Copyright 2009 Trend Micro Inc.
  • Security: the #1 Cloud Challenge Security and privacy were the foremost concerns by far, with a weighted score higher than the next three (performance, immaturity and regulatory compliance) combined. Gartner (April 2010) Classification 10/12/2010 Copyright 2009 Trend Micro Inc. 4
  • “Typical” Customer Virtualization Evolution Phase 1 Phase 2 Phase 3 Consolidation Expansion & Desktop Private > Public Cloud 85% Desktops 15% 30% 70% Servers DC Consolidation Mission critical applications Public and private cloud & Endpoint Control - Multi-hypervisor - Non-mission critical - Performance becomes critical -Virtualized storage base applications -API and advanced -Multi-tenancy - Standardized hypervisor management use -Workload Management - Simple VM Management VDI sampling -Dedicate or Burst to public -Enhanced Compliance controls Copyright 2009 Trend Micro Inc.
  • The Evolving Datacenter Public Cloud Lowering Costs, Increasing Flexibility Private Cloud Virtual Outsourced Physical •Metered Multi-Tennant •Shared Resources •Charge Back •Data Mobility Consolidation •Multi-Hypervisor •Cost Center •Data Sharing •Single Hypervisor Traditional •Data per App Datacenter Infrastructure Security and Data Protection must keep up Classification 10/12/2010 6 with Cloud Evolution Copyright 2009 Trend Micro Inc.
  • Phase 1 Security Challenge Perimeter-only (“Outside-in”) approach together with rapid virtualization have created less secure application environments Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace. “Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010 Copyright 2009 Trend Micro Inc. 7
  • Phase I: The virtual datacenter is very dynamic ! Inter-VM attacks PCI Mobility Cloud Computing Hypervisor New Challenges Require a New Security Architecture Copyright 2009 Trend Micro Inc. 8
  • Virtual Machines Need Specialized Protection Same threats in virtualized servers as physical.  New challenges:  1. Instand-on/Dormant VMs 2. Resource contention  3. VM Sprawl  4. Inter-VM traffic  5. vMotion Copyright 2009 Trend Micro Inc. 9
  • Virtualization Security Foundation “Secure the workload” Self-secured workload VM & Network App FW, IPS, AV… Security Integration VM1 VM3 App1 App3 OS1 OS3 Hypervisor Copyright 2009 Trend Micro Inc.
  • Customers most common Phase I concern: Instant-on or unmanged VMs & Patching • Determines missing patches and existing vulnerabilities – Operating System – Common desktop applications • Recommends set of lightweight, fast-to-deploy filters – Virtually patches the vulnerabilities – Zero-Day protection – Reports on attempts to exploit vulnerabilities • Removes filters as soon as the patch is deployed Virtual patch endpoints until patch is ready Without exposing them to exploits Copyright 2009 Trend Micro Inc.
  • “Inside-out” Protection Model for Physical, Virtual and Cloud Computing “De-Militarized Zone” (DMZ) IPS Firewall Firewall IDS / IPS NIPS IPS File Integrity Monitoring Log Inspection Business Servers Mission Critical Servers Trend Micro Deep Security Provides A Secure Container for Applications and Data Copyright 2009 Trend Micro Inc.
  • “Typical” Customer Virtualization Evolution Stage 1 Stage 2 Stage 3 Consolidation Expansion & Desktop Private > Public Cloud 85% Desktops 15% 30% 70% Servers DC Consolidation Mission critical applications Hybrid and & selected public cloud Endpoint Control - Non-mission critical - Performance becomes critical - Multi-hypervisor base applications -API and advanced -Virtualized storage - Standardized hypervisor management use -Workload Management - Simple VM Management VDI sampling -Burst to public -Enhanced Compliance controls Copyright 2009 Trend Micro Inc. GET TECHIE
  • Phase 2: Security Challenge ”Virtually unaware” traditional security architectures eliminate the benefits of VDI and virtualized mission-critical applications Copyright 2009 Trend Micro Inc. 14
  • Phase II Server Performance Firewall Security VM IDS / IPS Anti-Virus App App App Integrity OS OS OS Monitoring ESX Server VMsafe APIs • Protect the VM by inspection of virtual components • Unprecedented security for the app & data inside the VM • Complete integration with, and awareness of, vMotion, Storage VMotion, HA, etc. Copyright 2009 Trend Micro Inc. 15
  • Phase II: Securing virtual desktops (VDI) • Malware risk potential: Identical to physical desktops – Same operating systems – Same software – Same vulnerabilities – Same user activities => Same risk of exposing corporate and sensitive data • New challenges, unique to VDI: – Identify endpoints virtualization status – Manage resource contention • CPU • Storage IOPs • Network Copyright 2009 Trend Micro Inc.
  • Phase II: IT Environment Changes Challenge: Resource Contention with VDI • The “9-AM problem” – Multiple users log in and download updates at the same time • “AV-Storms”, Scheduled scans – Adds significant load to the endpoint – Multiplied by number of VMs Cumulative Existing Endpoint Security Induces system load Resource Contention and Limits Desktop Virtualization Benefits Copyright 2009 Trend Micro Inc.
  • Phase II Security has to have VDI-Intelligence • Detects whether endpoints are physical or virtual – With VMware View – With Citrix XenDesktop • Serialize updates and scans per VDI-host – Controls the number of concurrent scans and updates per VDI host – Maintains availability and performance of the VDI host – Faster than concurrent approach • Leverages Base-Images to further shorten scan times – Pre-scans and white-lists VDI base-images – Prevents duplicate scanning of unchanged files on a VDI host – Further reduces impact on the VDI host • Can be done agentlessly as well Copyright 2009 Trend Micro Inc.
  • Summary of Phase II Solutions • Light and lean agents when deep visibility is required – Using cloud-client architecture • Agent-less option for application & server performance – Using virtualization APIs • Architecture optimizes performance across entire infrastructure – Processes are “virtually-aware” across CPU, network, and storage Trend Micro Confidential10/12/2010 Copyright 2009 Trend Micro Inc. 19
  • “Typical” Customer Virtualization Evolution Phase 1 Phase 2 Phase 3 Consolidation Expansion & Desktop Private > Public Cloud 85% Desktops 15% 30% 70% Servers DC Consolidation Mission critical applications Hybrid and & selected public cloud Endpoint Control - Non-mission critical - Performance becomes critical - Multi-hypervisor base applications -API and advanced -Virtualized storage - Standardized hypervisor management use -Workload Management - Simple VM Management VDI sampling -Burst to public -Enhanced Compliance controls Copyright 2009 Trend Micro Inc. GET TECHIE
  • Phase III: Virtualized Storage and Multi-tenancy Creates Data Protection Nightmares Public and Private Datacenter Cloud Perimeter Company n Company 1 Company 2 Company 3 Company 4 Company 5 App 1 App 2 App 3 App 2 App n App 1 App 3 App 4 App 5 … Hypervisor Hypervisor Strong perimeter security Weak perimeter security No shared CPU Shared CPU No shared network Shared network No shared storage Shared storage Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers Classification 10/12/2010 Copyright 2009 Trend Micro Inc. 21
  • Phase 3: Security Challenge How do I protect data in a virtualized and multi- tenant storage environment (private, hybrid, or public cloud) ? Copyright 2009 Trend Micro Inc. 22
  • Who Has Control? Servers Virtualization & Public Cloud Public Cloud Public Cloud Private Cloud IaaS PaaS SaaS End-User (Enterprise) Service Provider Trend Micro Confidential 10/12/2010 Copyright 2009 Trend Micro Inc. 23
  • Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (3 March 2010) The cloud customer has responsibility for security and needs to plan for protection. Trend Micro Confidential10/12/2010 Copyright 2009 Trend Micro Inc. 24
  • SecureCloud: Enterprise Controlled Data Protection for the Cloud Patent pending Trend Micro technology enables enterprises to retain control of data in the cloud Trend Micro Confidential10/12/2010 Copyright 2009 Trend Micro Inc. 25
  • All Phases: Architecture Security Challenge How do I bring it all together in a manageable way across virtualized, private and public cloud environments? Copyright 2009 Trend Micro Inc. 26
  • A New Security Architecture For A New Era All environments should be considered un-trusted Benefits •Facilitates movement between Users datacenter & cloud access app •Delivers security compliance through encryption •Enables portability between service providers •Ensures private data in public cloud Host defends itself from attack Datacenter Public Cloud Image ensures data is always encrypted DC1, LAN 1 and managed Cloud 1, LAN 2 Encryption keys Encrypted controlled by you Data Data Data DC2, LAN 2 Trend Micro Confidential10/12/2010 Copyright 2009 Trend Micro Inc. 27 Cloud 2, LAN 1
  •  Security Best Practices Recap Your data center is changing, have your security strategies changed accordingly? 1. Improve Server Defenses (supplement with IDS/IPS, FW, Application security) - Implement full audit and monitoring of virtualized environments 2. Leverage Vmware VMsafe-based and vShield Endpoint- based solutions for higher levels of security with simpler operations 3. Add virtualization-aware agents where needed 4. Ensure security solution is future-proofed for the private, public and hybrid cloud Classification 10/12/2010 Copyright 2009 Trend Micro Inc. 28
  • Thank You Copyright 2009 Trend Micro Inc.
  • Cloud Computing Compromises Jan 2010: Google Gmail hacked by attacks originating in China (Financial Times) Oct 2009: Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service attack (The Register) Oct 2007: Salesforce.com security breached. Repeatedly hacked (Washington Post) Enterprise security challenges continue in the cloud Copyright 2009 Trend Micro Inc. 30