This document summarizes a presentation on cloud computing security given at the Ayala Summit 2013 in the Philippines. The presentation covered introducing cloud computing concerns and challenges, performing a security assessment, modeling threats and mitigation suggestions, considerations for networks of virtual environments, data security lifecycles, and people-related implications. It provided examples and approaches to addressing issues around flexibility, reliability, and visualizing virtual environments. The document contained the presentation agenda, slides with text and diagrams, and was copyrighted by FUJITSU.
2. Ayala Summit 2013, Philippines
Agenda
1Introduction
1Addressing the Concerns and Challenges
1Security Assessment
1Threat Modeling and Suggestions
1Network of Virtual Environments
1Data Security and Mitigations Suggestions
1People Related Implications
1PCI and Cloud Computing
1QA
4ED659 !#9$%A%9'()2
3. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
4. Ayala Summit 2013, Philippines
123456789 AB4C3D3
Prepared for the Journey
Security is still a Major Concerns
5. Ayala Summit 2013, Philippines
Top 10 Strategic Technology Trends for
2013
Cloud is becoming a mainstream
computing style and delivery option with
hybrid cloud, cloud brokerage and new
delivery, management, and security
options accelerating adoption.
Copyright 2013 FUJITSU
6. Ayala Summit 2013, Philippines
Concerns
1 A56*958D893D89BB8D93+C598BCD65E*9B,463B89329
B8B56765E96C8969BC29-.C+6B*9.D67358*9/E+D62091659589
B82C8B89FD95897359,33D65E9F9BC296FD35DCB5CD89
284E,8549
Source: Top 10 Strategic Technology Trends for 2013, Gartner April 2, 2013
Copyright 2013 FUJITSU
7. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
8. Ayala Summit 2013, Philippines
Threats
Modeling
Threats
Modeling
Addressing the Concerns and Challenges
• Threats and Mitigations
• Protection of Data, Security and MitigationsSecuritySecurity
Clear
Objectives
Clear
Objectives
• Security Assessment
• Division of Roles and Responsibilities
Roles
Responsibilities
Roles
Responsibilities
8 Copyright 2013 FUJITSU LIMITED
9. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
11. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
12. Ayala Summit 2013, Philippines
Threat Modeling Example
Threat Description Example
Spoofing Assume identity of client,
server or request/response
Phishing attack to fool user
into sending credentials to
fake site
Tampering Alter contents of request of
response
Message or data integrity
compromised to change
parameters or values
Repudiation Dispute legitimate transaction Illegitimately claiming a
transaction was not
completed
Information Disclosure Unauthorized release of data Unencrypted message
sniffed off the network
Denial of Service Service not available to
authorized users
System flooded by requests
until web server fails
Elevation of privilege Bypass authorization system Attacker changes group
membership
12 Copyright 2011 FUJITSU Asia Pte., Ltd.
13. Ayala Summit 2013, Philippines
Example Mapping Threat Model-Mitigations
Threat Security Service
Spoofing Authentication
Tampering Digital Signature, Hash
Repudiation Audit Logging
Information Disclosure Encryption
Denial of Service Availability
Elevation of privilege Authorization
13 Copyright 2011 FUJITSU Asia Pte., Ltd.
14. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
15. Ayala Summit 2013, Philippines
Challenges for Networks of Virtual Environments
1 Consolidate physical servers
using virtualization software
- Reduce physical servers
- Realize central consolidation
services, organizational changes, etc.)
Flexible Operations
Is flexible response to requirement changes
such as addition and update of business
systems available? (Upon provision of new
services, organizational changes, etc.)
Challenge 1
However, when configuring business
systems in a virtual environment,
challenges exits!!
System Reliability
Are “security”, “safety”, and “stability of the
business systems ensured?
Challenge 2
network devices and the locations of errors?
Visualize Virtual Environments
When a trouble occurs in communications
between business systems, is it possible to
confirm the operational status of configured
network devices and the locations of errors?
Challenge 3
Virtualization Software
(VMware, Hyper-V, etc.)
Consolidate Virtualize
Servers
Plant B
Plant A
Headquarters
Office A
Office B
Office C
Copyright 2013 FUJITSU15
Resource pool of physical servers leveraging Virtualisation
16. Ayala Summit 2013, Philippines
Establish Flexible Operations (Approach to Challenge 1)
1 Templates enable quick creation of business systems to respond to the urgent launch of a new business
1 Automatic network configuration enables quick configuration of networks without specialized knowledge
Copyright 2013 FUJITSU16
Simplified addition and modification to business systems,
including complicated network reconfiguration
When preparing a 3-tier system for example…
System design?
Device configuration?
DMZ (Web) AP DB
FirewallServer Load Balancer
Storage
Servers
Normally
Using Orchestration Automation:
Possible to quickly prepare business
systems including networks, from the GUI!!
Administrator
Setup is
fast
Network
FirewallServer Load Balancer
Web tier AP tier DB tier So much work is involved!!
Supported devices?
Difficult to prepare it in a short time
Web
tier
AP
tier
DB
tier
Resources (devices) are automatically selected
according to the system configuration
By using a template, no need to
perform system design!!
Automatic configuration of devices during creation
of systems
Administrator
18. Ayala Summit 2013, Philippines
Visualize Virtual Environments (Approach to Challenge 3)
Copyright 2013 FUJITSU18
1 Quickly identify error locations during problems such as service interruptions,
enabling a prompt recovery response and reduced service downtime
DMZ (Web) AP DB
Example
device
configuration
Storage
Firewall
[ASA5500 Series]
L2 Switch
Business
Servers
Admin Server
Periodical Checks (*2)
1. Trouble occurs!
3. Confirm the status change
Identify the device!!(*1)
Infrastructure
Administrator
2. Problem
Detected
5. Check the status on5. Check the status on
the Resource Details
window
4. Click the device name
Identify the locations of devices with errors configured in a
virtual environment and detect status changes
*1: The trouble can be confirmed also from messages notifying of status changes which are output in
the event log as well as the icon change.
*2: Devices registered as network devices are monitored.
19. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
20. Ayala Summit 2013, Philippines
WHERE IS MY DATA
20
Your Data
Unstructured data
File Systems
Office documents,
PDF, Vision, Audio
other
Fax/Print Servers
File Servers
Business Application
Systems
(SAP, PeopleSoft, Oracle
Financials, In-house,
CRM, eComm/eBiz, etc.)
Application Server
Structured data
Database Systems
(SQL, Oracle, DB2,
Informix, MySQL)
Database Server
Security
Other Systems
(Event logs, Error logs
Cache, Encryption keys,
other secrets)
Security Systems
Data Communications
Eg. VoIP Systems
FTP/Dropbox Server
Email Servers
Storage Backup
Systems
Eg. SAN/NAS
Backup Systems
1
2343567894958A5B8CC6D6A45CEDF34953AB58A5F3A5D6E984ED
AE8A5345856A53AB5E54E596D6546523435
895D8483
Copyright 2013 FUJITSU LIMITED
22. Ayala Summit 2013, Philippines 22
DATA SECURITY LIFECYCLE
Source:
Security Guidance for Critical Areas of Focus
in Cloud Computing V3.0, Information Management Data Security
Copyright 2013 FUJITSU LIMITED
23. Ayala Summit 2013, Philippines 23
This may also be known as Create/Update because it applies to
creating or changing a data/content element, not just a document
or database. Creation is the generation of new digital content, or
the alteration/updating of existing content.
Consideration (examples)
Ownership
Classification
Rights Management
1232456789A3B4CAD67B7C6
Copyright 2013 FUJITSU LIMITED
24. Ayala Summit 2013, Philippines 24
Storing is the act committing the digital data to some sort of
storage repository, and typically occurs nearly simultaneously with
creation.
Considerations (Examples)
Access Controls
Encryption
Rights Management
Isolation
1232456789A3B4CAD67B7C6
Copyright 2013 FUJITSU LIMITED
26. Ayala Summit 2013, Philippines 26
Data is exchanged between users, organisations, groups and
individual.
Considerations (Examples)
Internal/External
Third Parties
Purposes
Compliance
Locations
1232456789A3B4CAD67B7C6
Local
Mirroring
(RAID 1)
Remote
(Offsite)
Replication
1234563457348
Server Server
Primary Replica
Copyright 2013 FUJITSU LIMITED
27. Ayala Summit 2013, Philippines 27
Data leaves active use and enters long-term storage.
Considerations (Examples)
Legal/Law
Sites/Locations
Media type
Retention
Ownership
1232456789A3B4CAD67B7C6
Copyright 2013 FUJITSU LIMITED
28. Ayala Summit 2013, Philippines 28
Data is permanently destroyed using physical or digital means
(e.g., cryptoshredding).
1232456789A3B4CAD67B7C6
Considerations (Examples)
Secure
Complete
Assurance
Proof
Content Discovery
Copyright 2013 FUJITSU LIMITED
30. 2
EC65
Illustrations of application for Data Security Lifecycle:
Data-Impact (useful for Data Classification)
Data Security Lifecycle (useful for RACI)
Copyright 2013 FUJITSU LIMITED
35. Ayala Summit 2013, Philippines
Sharing other approaches/scenarios
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
36. Ayala Summit 2013, Philippines
Logical Platform A
Division A
Segregation Isolation
1 The Access Control Feature controls the access between tenants and platforms
1 Address Translation Function can hide secure server information
1 The IPS feature protects each platform from flooding-attacks
Physical ServerPhysical Server
・・・
Server
Deploy
Server
Service user of division B
Logical Platform
Division B
Internet
Improved network security for customers, projects divisions
Logical Platform B
NS Appliance(*)NS Appliance(*)
Server
Physical ServerPhysical Server
・・・
NS Appliance(*)NS Appliance(*)
Copyright 2013 FUJITSU33
37. Ayala Summit 2013, Philippines
Data Protection- Encryption
1 Encrypts drive data
Encrypt confidential information in drives
Encryption
Encryption is specified
on a LUN basis
Encryption
Unencrypted
data
Encryption
Encryption
Encryption Encryption
Encryption Encryption
Encryption
Encryption
Encryption
Encryption
Encryption
Encryption setting and
management
Prevents information
leakage
Server A Server B Server C
unique encryption scheme
- Less performance degradation than
128bit AES
- Closed unique technology ensures the
safety
Encryption
AES (Advanced Encryption Standard) is an encryption standard of the Federal Information Processing Standards
Data removal
protection
Storage
34 Copyright 2013 FUJITSU LIMITED
38. Ayala Summit 2013, Philippines
1234567
89697
14564A
De-Coupling
Client A
Office Users
Client A
Remote Users
Client A
Physical App Server
Client A
Physical DB Server
Client A
Physical Web Server
Client A
Virtual App Server
Client A
Virtual DB Server
Client A
Virtual Web Server
39B3A6C927D4E7F4A
4A
A B3A6C927D4E7F4A
4A
39B3A6C927
47. Ayala Summit 2013, Philippines
Client and
Application zone
Servers
File Server zone
Security Appliance
Enables
File Security
Data-Key Separation
Additional layer of ACL
AES 256bit Encryption
SCB2 128bit Encryption
Data Encryption on write
Data Decryption on Read
36 Copyright 2013 FUJITSU LIMITED
3 Data in Server is encrypted
Hacking into Server will only get encrypted Data
3 No keys are exposed
outside of the environment boundary
49. Ayala Summit 2013, Philippines
Firewall
Server Load
Balancer
Web
Server
Application
Server
Application
Server
Database
Server
VLAN1001
VLAN1002
VLAN1003
Distribute requests
to two web servers
in round-robin fashion
Only HTTPS
communication
to SLB is permitted
to access from
outside the network.
Leverage Load Balancer Functionality
1 Example of a 3-tier system configuration
Web
Server
Communication
is permitted
between
internal segments.
Communication
is permitted
between
internal segments.
38 Copyright 2013 FUJITSU LIMITED
50. Ayala Summit 2013, Philippines
1 Introduction
1 Addressing the Concerns and Challenges
1 Security Assessment
1 Threats Modeling and Mitigations Suggestions
1 Network of Virtual Environments- Suggested considerations
1 Data Security, Concerns and Suggestions
1 People Related implications and Mitigations
51. Ayala Summit 2013, Philippines
Roles and Responsibilities
40 Copyright 2011 FUJITSU LIMITED
Capacity Management
• Workload placement
planning
• Service continuity mgmt
Service Developers:
• APIs, connectors,
Java
• Integration
Sourcing Management
• Multi-supplier mgmt
• Service governance
• Financial controls
• Comparative analysis
Security professionals
• Information Security
Mgmt
• Sourcing security
Service Managers
• Service portfolio mgmt
• Service governance
• Financial Costing /
cost recovery model
• Service brokerage
Business Relationship Mgmt
• Business Analyst
• Demand management
• Benefit realization
• Cloud Alliance Manager
Cloud Federation
Aggregation
• Technologist
cloud federation
architect
Enterprise Architecture Team
• Cloud Computing Architect
• Virtualization SME
Governance Compliance
• Risk Management
• COBIT, Controls, policies,
processes, procedures
• Internal Audit
• Cloud Risk and
Compliance
52. Ayala Summit 2013, Philippines
People Related Security
• Division of Roles and Responsibilities
Roles
Responsibilities
Roles
Responsibilities
41 Copyright 2013 FUJITSU LIMITED