Data Centre Evolution: Securing Your Journey to the Cloud


Published on

The world of computing is moving to the cloud – shared infrastructures, shared systems, instant provisioning and pay-as-you-go services. And users can enjoy anytime, anywhere access to services and their data. But how secure is your data in the cloud and do conventional security products offer the optimal approach to securing your virtualised environments?

In this presentation we examine security and performance concerns along your journey to the cloud and explore new technologies from VMware and Trend Micro. These innovations are all ready helping thousands of businesses to address the security challenges with Physical, Virtual and cloud platforms.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • [Interactive Opportunity: Ask the audience where they have deployed their applications and data (e.g., which of the slide categories they have implemented).]The order in which these elements are deployed and to what degree will vary depending on business needs and resources. [If you get responses from a group, the fact that they vary will be evident. You can comment on the responses you receive. You can use the responses to customize the rest of this presentation—comment on security for their current deployments and how the right security can help them implement additional platforms sooner.]
  • The different aspects of the journey to the cloud that we saw on the previous slide can be placed into three platforms: The first is physical; The second is virtual, including server and desktop virtualization; And the third is cloud, including private, public, and hybrid clouds.But just because the data center is evolving to include new platforms doesn’t mean the threat landscape is static—we still have evolving threats like data-stealing malware, botnets and targeted attacks (sometimes called APTs or Advanced Persistent Threats) and others. Integrated, layered security is needed across all of three of these platforms to defend against these threats. So although the threat landscape still has all these elements, there are unique security risks that must be considered for each platform. So the solution must recognize the specific security requirements of each individual platform.
  • Each of these platforms has unique security concerns. With physical machines, the manageability of various security solutions can be an issue.There can be a glut of security products—either through excessive layering or overly specialized products. This increases hardware and software costs. Also, management across the different products can be difficult – causing security gaps. And collectively these issues create a higher Total Cost of Ownership.The solution is to reduce complexity by consolidating security vendors and correlating protection.[click]With virtualization, the risks pertain to both performance and threats specific to virtual environments. There is a concern that security will reduce performance, which reduces the ROI of a virtual infrastructure. Also there are unique virtual machine attacks, such as inter-VM threats. Here the solution is increased efficiency—security that optimizes performance while also defending against traditional as well as virtualization-specific threats. [click]With cloud services, the risks pertain to less visibility and cloud-specific threats. Companies are concerned about having less visibility into their applications and data. And they are concerned about increased external threats, especially in multi-tenant environments.For the cloud, businesses need security that allows them to use the cloud to deliver IT agility. Data must be able to safely migrate from on-premise data centers to private clouds to public clouds so organizations can make the best use of resources. [click]As we’ll see later, all of these concerns can be addressed. And through protection that is provided in an integrated security solution all managed through one console. With cross-platform security, you’ll stay protected as your data center and virtual or cloud deployments evolve, allowing you to leverage the benefits of each platform while defending against the threats unique to each environment.
  • Now we’ll step through each platform individually, starting with physical servers and endpoints. Regardless of how your business evolves, you’ll still need dedicated physical servers. They give you the highest level of visibility and control, provide dedicated computing resources, and support specialty hardware and software. Today, the security that is needed for physical machines is relatively well known. The issue is more, how do I deploy effective protection while reducing management. Integrating security onto one platform reduces the glut of security products which in turn reduces management and costs.
  • As you can see here, an integrated approach to server security includes a Firewall, HIPS and Virtual Patching, Web Application Protection, Antivirus, File Integrity Monitoring, and Log Inspection. [click]To reduce complexity, all of these capabilities should be integrated into one solution and should be managed through one console with advanced reporting capabilities. Here we’re talking about how to reduce complexity with your physical server security. But when this protection is provided in a cross-platform solution, your security can also travel with you as your business evolves to use virtualization and the cloud.
  • The next platform we’ll discuss is virtualization. Most companies are virtualizing their data centers. In a recent survey by Trend Micro, 59% of respondents had server virtualization in production or trial, and 52% had desktop virtualization in As the foundation to the cloud, businesses should deploy virtualization security that protects their data center virtual machines as well as their virtual machines that are moved to private and public cloud environments. In the next few slides, we will discuss virtualization security challenges and the solutions to address these challenges, using virtualization-aware security.
  • Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
  • Next we’ll cover instant-on gaps. [click]Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. [click]Also when dormant VMs are reactivated, they may have out-of-date security. [click]One of the benefits of virtualization is the ease at which VMs can be cloned. However, if a VM with out-of-date security is cloned the new VM will have out-of-date security as well. New VMs must have a configured security agent and updated pattern files to be effectively protected. [click]Again the solution is a dedicated security virtual appliance that can ensure that guest VMs on the same host have up-to-date security if accessed or reactivated, and can make sure that newly provisioned VMs also have current security. This security virtual appliance should include layered protection that integrates multiple technologies such as antivirus, integrity monitoring, intrusion detection and prevention, virtual patching, and more. .
  • The final virtualization challenge we’ll discuss is the complexity of management. Virtual machines are dynamic. They can quickly be reverted to previous instances, paused, and restarted, all relatively easily. They can also be readily cloned and seamlessly moved between physical servers. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time.[click]This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Hypervisor introspection is needed for visibility and control. Security that leverages the hypervisor APIs can ensure that each guest VM on the host remains secure and that this security coordinates with the virtualization platform.
  • I’d now like to highlight a couple of additional virtualization challenges. The next one we’ll discuss today is inter-VM attacks and blind spots. [click]When a threat penetrates a virtual machine, the threat can then spread to other virtual machines on the same host. Traditional security such as hardware-based firewalls might protect the host, but not the guest virtual machines. And cross-VM communication might not leave the host to be routed through other forms of security, creating a blind spot. [click]For the solution, protection must be applied on an individual virtual machine level, not host level, to ensure security. And integration with the virtualization platform, such as VMware, provide the ability to communicate with the guest virtual machines. Also, virtual patching ensures that VMs stay secure until patches can be deployed.
  • So what is the solution to these final two challenges? Layered virtualization-aware security in one platform. The security virtual appliance with agentless security that we discussed earlier can provide multiple modules, as listed here—antivirus, integrity monitoring, intrusion prevention, Web application protection, application control, firewall, and log inspection. With this integrated protection that is designed for a virtual environment, you can achieve higher consolidation ratios, faster performance, better manageability, and stronger overall security.
  • [Step through content on slide—should be self explanatory.] As our customers expand their agentless security options, we look forward to hearing how their benefits increase.
  • VMware controls more than half of the virtualization market. Virtualization security must fit into the VMware ecosystem to effectively support enterprise virtualization efforts. Here we demonstrate the different VM-security aspects and how they can fit into a VMware infrastructure.[click]The pairing of agent-less antivirus and agentless integrity monitoring with vShield Endpoint enables massive reduction in memory footprint for security on virtual hosts by eliminating security agents from the guest virtual machines and centralizing those functions on a dedicated security virtual machine. [click]Protection such as intrusion detection and prevention, web application protection, application control, and firewall can be integrated with VMware using VMsafe APIs, integrating security with VMware vSphere environments. Again this can be an agent-less option.[click]And finally, log inspection which optimizes the identification of important security events buried in log entries, can be applied through agent-based protection on each VM. [click]These elements can be integrated and centrally managed with VMware vCenter Server. Together, these provide comprehensive, integrated virtual server and desktop security.
  • Now we’ll cover the final platform, cloud computing. Cloud computing is usually built on virtualization. So, all of the previous challenges and solutions we discussed in the previous section on virtualization apply to the cloud. But cloud computing also introduces its own challenges as well as solutions. Let’s take a look.
  • When planning to deploy your data to the cloud, you must assess your security requirements and select a cloud model that is going to meet your business needs and objectives. Visibility and control decrease as you move from on-site virtualization and private cloud environments to public cloud models. With a private cloud, you control your assets, but with a public cloud, the service provider controls the underlying infrastructure, ultimately controlling access to your IT assets. This raises particular security concerns for a public cloud environment.[click]The degree to which you control and are responsible for security in the public cloud varies by public cloud model. [click]With an Infrastructure as a Service cloud, the service provider is responsible for securing the underlying hardware, but businesses are expected to secure their virtual infrastructure and their applications and data built on top of it.[click]With Software as a Service and Platform as a Service clouds, the service provider is responsible for most of the security. However, businesses should not assume that service providers provide sufficient security and should ask about the types of protection provided. In addition, you need to secure your endpoints that connect to the service to ensure that the cloud service does not compromise endpoint resources and data. For this presentation, when discussing the public cloud, we’ll focus on Infrastructure as a Service cloud because businesses are responsible for most of the security, including protecting their virtual infrastructure and their applications and data built on top of it..
  • Now we’ll discuss a few security challenges that are specific to the public cloud. The first is multi-tenancy and mixed trust level VMs. [click]Because of the multitenant architecture of the cloud, your data can move to make the best use of resources. But you may not always know exactly where your data is located. Your critical applications and data might be located next to high risk VMs—and you may not even know it. This is particularly true in the public cloud when you don’t know your neighbors, but can also be true in private clouds when various VMs for your business are sharing a host. [click]The solution is to create self defending virtual machines that can defend themselves in a multitenant environment. And encryption can secure your data even if it is accessed by an unauthorized source—anywhere from criminals to service providers to even people in your own company that might now have permission to view the data.
  • Another challenge for cloud computing is data access and governance. [click]This builds on the challenge in the previous slide. The multitenant architecture and provider control of the infrastructure raises concerns about who can see your data, or who may be attaching to your storage volumes. With these concerns comes a desire for visibility. Are you able to run reports that audit who has accessed your data? [click]Businesses need security and privacy measure that address these concerns. Encryption can secure data. But encryption alone is not enough. The solution should include policy based key management to specify when and where data can be accessed, and provide server validation to provide server identity and integrity checks before encryption keys are released.
  • The final cloud computing challenge we’ll discuss today is data destruction. As I mentioned before, cloud data can move to make the best use of resources. [click]But when data is moved, sometimes remnants remain if the data in the previous location is not completely shredded. These remaining data remnants can create a security concern. [click]Again encryption is the solution because any remaining data remnants are unreadable if accessed by unauthorized users.
  • So what is the solution? Cloud protection should include self-defending VM security that travels with the virtual machine into a cloud infrastructure. This allows businesses to transfer a complete security stack into the cloud and retain control. And this cloud security should be provided in a modular infrastructure with both agentless and agent-based options so it can be customized to your individual cloud deployment needs. The security should be provided on one platform that is managed through a single console—across your physical, virtual, and cloud deployments, including private, public, and hybrid clouds. [click]Another method of protecting data in the cloud is encryption with policy-based key management. The solution should start with industry-standard encryption that renders your data unreadable to outsiders. Even if your data is moved and residual data is left behind, the data in the recycled devices is obscured. It is critical to have this encryption accessed through policy-based key management to specify when and where your data is accessed. And through policies, identity- and integrity-based validation rules specify which servers have access to decryption keys.An encryption solution should also give the option to access keys through a SaaS or on-site virtual appliance with customer control over the keys to support a clear separation of duties and to avoid vendor lock-in. An encryption solution with policy-based key management allows even heavily regulated companies to leverage the flexibility and cost savings of the public cloud while ensuring their data stays secure. [click]These two solution elements can be integrated with a context approach to security. For example, encryption policies can specify that encryption keys will not be released unless the requesting server has up-to-date security, ensuring that the data stays protected when accessed by self-defending VM security. [click]And this security should work with multiple cloud platforms—allowing you to create the right cloud environment for your business.
  • Earlier we reviewed how the Trend Micro server security platform with modular security integrates with a VMware ecosystem. Here we see how Trend Micro’s cloud data encryption solution—SecureCloud—supports a VMware environment.Here we see the VMware ecosystem with vSphere which creates a virtualization platform and vCloud that provides technologies to support private and public clouds. vCloud Director provides a management portal into these cloud technologies.[click]Trend Micro SecureCloud leverages information from vSphere and vCloud to provide native support for these environments. [click]Then SecureCloud can provide encryption capabilities in VMware virtual, private, and public cloud environments. [click]This gives companies encryption support today and as their data centers evolve.
  • As we’ve discussed here, Trend Micro’s server security platform provides specialized protection across physical, virtual, and cloud. [Briefly step through points on slide.]
  • Trend Micro was VMware’s 2011 Technology Alliance Partner of the Year. This timeline helps highlight some of our achievements in our partnership with VMware, starting back in 2008. [Highlight a couple of key points from the timeline—do not cover it all.]
  • We’ve been very successful in our approach to server security, achieving both #1 in virtualization security—the foundation of cloud computing, and #1 in server security for 2 consecutive years.
  • Data Centre Evolution: Securing Your Journey to the Cloud

    1. 1. Data Center Evolution:Physical. Virtual. Cloud.Securing Your Journey to the CloudTrend Micro
    3. 3. CROSS-PLATFORM SECURITYOne Security Model is Possibleacross Physical, Virtual, and Cloud Environments Physical Virtual Cloud New platforms don’t change the threat landscape Each platform has unique security risks Integrated security is needed across all platforms
    4. 4. PLATFORM-SPECIFIC SECURITY RISKSOne Security Model is Possibleacross Physical, Virtual, and Cloud Environments Manageability Performance & Threats Visibility & Threats Glut of security products Traditional security Less visibility Less security degrades performance New VM-based threats More external risks Higher TCO Reduce Complexity Physical Increase Efficiency Virtual Deliver Agility Cloud Integrated Security: Single Management Console
    5. 5. REDUCE COMPLEXITYConsolidate Physical Security
    6. 6. REDUCE COMPLEXITYOne Server Security Platform Firewall HIPS / Virtual Web Application Antivirus Integrity Log Patching Protection Monitoring Inspection Single Management Console Advanced Reporting Module
    7. 7. INCREASE EFFICIENCYServer and DesktopVirtualization Security
    8. 8. VIRTUALIZATION SECURITYChallenge: Resource Contention Typical AV Console 3:00am Scan Antivirus Storm Automatic security scans overburden the system
    9. 9. VIRTUALIZATION SECURITYChallenge: Instant-on Gaps Active Dormant  
    10. 10. VIRTUALIZATION SECURITYChallenge: Instant-on Gaps Reactivated with Active out dated security Cloned        Reactivated and cloned VMs can have out-of-date security
    11. 11. VIRTUALIZATION SECURITYChallenge: Complexity of Management Provisioning Reconfiguring Rollout Patch new VMs agents patterns agents VM sprawl inhibits compliance
    12. 12. VIRTUALIZATION SECURITYChallenge: Inter-VM Attacks / Blind Spots Attacks can spread across VMs
    13. 13. Agent-less Security Architecture Trend Micro Trend Micro Deep Security Deep Security Virtual Appliance Manager Guest VM’sSecurity Admin Network Security Anti-Malware - IDS/IPS - Real-time Scan APPs - Web App Protection APPs - Application Control - Scheduled & APPs Manual Scan - Firewall OS VMsafe-net vShield API Endpoint API VM tools ESX VI Trend Micro vShield EndpointAdmin vShield Manager filter driver ESX Module vCenter vSphere Platform Trend Micro vShield VMware Legend  product Platform Endpoint components Components
    14. 14. VIRTUALIZATION SECURITYWhat is the Solution?Layered, Virtualization-Aware Security in One Platform Deep Security Integrated Modules: With Agentless Security • Antivirus Security VM Virtual VM VM VM • Integrity Monitoring Appliance • Intrusion Prevention • Web Application Protection VM VM VM VM VM VM • Application Control • Firewall • Log Inspection Higher Optimized Simplified Stronger Density Resources Management Security Maximizes Performance and ROI
    15. 15. CASE STUDYAgentless Anti-malwareCity of Oulu, FinlandIndustry Municipal GovernmentNumber of Employees 10,000 Challenge Solution Business Results • Merge infrastructures of four • vShield Endpoint and Trend • Protection that is easy to surrounding cities in less Micro Deep Security, for deploy, administer, and scale than one year agentless protection of • Agentless security that is • Extend the lives of existing virtual desktop infrastructure more resource PCs that cannot be (VDI) • Instant protection of new upgraded to Windows 7 VMs at time of spin-up • Minimize the start-up efforts for the infrastructure merger • Avoid complexity that would slow systems or increase workload
    16. 16. DELIVER AGILITYCloud Deploymentsand Security
    17. 17. CLOUD SECURITYCloud Models: Who Has Control? Servers Virtualization & Public Cloud Public Cloud Public Cloud Private Cloud IaaS PaaS SaaS End-User (Enterprise) Service Provider Who is responsible for security? With IaaS the customer is responsible for VM-level security With SaaS or PaaS the service provider is responsible for security
    18. 18. CLOUD SECURITYChallenge: Multi-tenancy / Mixed Trust Level VMs Shared resources creates a mixed trust level environment
    19. 19. CLOUD SECURITYChallenge: Data Access and Governance There can be less visibility and control of cloud data
    20. 20. CLOUD SECURITYChallenge: Data Destruction 10011 01110 0 00101 10011 01110 00101 When data is moved, unsecured data remnants can remain
    21. 21. CLOUD SECURITYWhat is the Solution? Data Protection Data Security Server & App Security Encryption Modular Protection with Policy-based Sensitive Research Results Key Management • Unreadable for unauthorized users • Control of when and • Self-defending VM security where data is accessed • Agentless and agent-based • Server validation • One management portal for • Custody of keys all modules, all deployments Integration ensures servers have up-to-date security before encryption keys are released vSphere & vCloud 2 2
    22. 22. CLOUD SECURITYFitting Encryption into a VMware Ecosystem Trend Micro SecureCloud VMware vCloud VMware vSphere Key Service Data Center Private Cloud Public Cloud Console VM VM VM VM VM VM VM VM VM VM VM VM Enterprise Key Encryption throughout your cloud journey—data protection for virtual & cloud environments 2
    23. 23. Deep Security / Secure Cloud Example Customer 1 Customer 2 Unix/ Win Server VMware Vsphere ESX Customer Test
    24. 24. TREND MICRO DEEP SECURITYSpecialized Protectionfor Physical, Virtual, and Cloud Physical Virtual Cloud Only fully integrated server security platform First hypervisor-integrated agentless antivirus First agentless file integrity monitoring (FIM) Only solution in its category to be EAL4+ and FIPS certified
    25. 25. TREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER2011 Technology Alliance Partner of the Year Improves Security Improves Virtualization by providing the most secure virtualization by providing security solutions architected to fully infrastructure, with APIs, and certification programs exploit the VMware platform Dec: Deep Security 7.5 VMworld: Trend virtsec Nov: Deep Security 7 w/ Agentless Antivirus customer, case study, with virtual appliance webinar, video RSA: Trend Micro RSA: Other May: Trend Demos Agentless vendors Feb: Join acquires Sale of DS 7.5 “announce” VMworld: Announce VMsafe program Third Brigade Before GA Agentless Deep Security 8 w/ Agentless FIM2008 2009 2010 2011 July: VMworld: CPVM 1000 AgentlessRSA: Trend Micro VMsafe Announce GA Q4: Joined 2010: customers demo, announces Deep Security 7.5 Coordinated approach & RSA: Trend Micro EPSEC vShield >100 customers Virtual pricing announces virtual appliance Program >$1M revenue
    26. 26. VIRTUALIZATION AND CLOUD SECURITYTrend is No.1 in Server and VirtualizationSecurity Physical Virtual Cloud Trend Micro Trend 13% Micro 23.7%Source: IDC, 2011 - Worldwide Endpoint Security Revenue Share by Vendor, 2010 Source: 2011 Technavio – Global Virtualization Security Management Solutions