Presenters please use this slide to direct participants to websites, books, trials, product pages etc as a follow through to your presentation
Tech insights 2011 SEA - Security from the Ground up to the Cloud
Security from the Ground Up to the Cloud… Esmaeil Sarabadani Systems and Security Consultant Redynamics Asia Sdn. Bhd.
What will be covered…• An overview on Public and Private Clouds and their building blocks• Cloud security concerns• Cloud Defense-in-Depth approach• Security in the cloud virtualized environment• Data and network traffic isolation in the cloud• Control and ownership of the data in the cloud• Questions to ask before moving to the cloud
What is the cloud?!! • It’s nothing supernatural. • It’s been with you for a long time. • It’s used for social activities, entertainment, business and so more. • It brings more: • Availability • Reliability • Scalability • Affordability • Security
Private Cloud Public Cloud• Everything is hosted on • Everything is hosted by a premise. cloud service provider.• You will have to pay only • You will have to pay for once for the licenses and the cloud service you are the implementation. using.• Security and data • Security and data protection is all under protection is guaranteed. yourWhatever… responsibility. • You will have to follow• You will not have to the cloud service follow any cloud service providers’ policies. providers’ policies.
Microsoft Cloud Building BlocksAuthN, AuthZ, Auditing Admin / Tenant Interfaces System Center Virtual Machine Manager Hyper-V Based Hypervisor Compute / Network / Storage
Cloud Security Concerns • Protecting the virtualized environment • Data isolation • Firewall configuration • Complexity • Hypervisor security issues • The geographical location of data • Complicated audit and forensics
Cloud Defense-in-Depth Approach Layer Defenses • Windows Security Model for Access Control and Auditing Data • System Center Data Protection Manager for Data Availability • User Identification and AuthorizationApplication • Application-Layer Malware Protection • Host Boundaries Enforced by External Hypervisors Host • Host Malware Protection • VLAN and Packet Filters in Network Fabric Network • Host Firewall to Supplement & Integrate IPSec Isolation • Control Access to portals / Services using UAGPerimeter • Controlled Egress Filtering using TMG
Data Isolation and Hypervisor No Access Root VM Guest VM Guest VM Guest VM Hypervisor Physical Hardware
Virtualization Architecture Root Partition Guest Partitions Hypervisor: • Isolation Boundary between partitions. • Only 600 KB in size Virtualization Guest Stack Applications Root Partition:Ring 3 • Mediates all access to hypervisor • Server core minimizes attack Server Core surface Drivers VMBus Guest OS • ~50% less patching requiredRing 0 Kernel Guest Partitions:Ring -1 Hypervisor • Guests cannot interfere with Storage NIC CPU each other • Dedicated VMBUS Channel
Network Security Hackers How DDoS attacks are detected and stopped in Microsoft public cloud network … VM VM VM VM VM VM VM VM VM Hypervisors Microsoft Public Cloud
Network Traffic Isolation • Hosts and VMs support 802.1Q (VLAN Tagging) • Each assigned VLAN ID • Enforced across network fabric • Firewalls permit inter- VLAN traffic as per policy • Isolates: • Host from guests • Mgmt. traffic from guest traffic
Network Traffic IsolationPublic/Private Cloud Hypervisor Hypervisor Hypervisor This is to prevent and stop the attacks coming from the inside and from the other VMs.
Questions to ask before moving to cloud… • Encryption • Storage • Data transfer limits • Web access • File size limits • Auditing policies • Government involvement
Cloud Audit Policies • What data does my provider log? • Which logs do I have control over? • How long do providers keep logs? • What data does my provider give to me upon request? • Which Law Enforcement Agency has jurisdiction over my data?