Data Security in the Cloud <ul><li>Leveraging RightScale and </li></ul><ul><li>Trend Micro SecureCloud </li></ul><ul><li>S...
Your Panel Today <ul><li>Presenting </li></ul><ul><li>Uri Budnik , Director, ISV Partner Program, RightScale @uribudnik </...
Agenda <ul><li>Introduction </li></ul><ul><li>Data Security Concerns and Best Practices </li></ul><ul><li>RightScale Platf...
Data Security <ul><li>We will cover … </li></ul><ul><li>Common data exposure vectors </li></ul><ul><li>Security benefits o...
Biggest real risks to data in the cloud? <ul><li>The same things as when your data were not in the cloud. </li></ul><ul><u...
Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In T...
We must protect data  “In Transit” <ul><li>Why? </li></ul><ul><ul><li>You do not want the bad guys to see or modify your d...
We must protect data  “At Rest” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li>Disclosu...
We must protect data while  “In Process” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li...
Where RightScale shines <ul><li>RightScale can be used to ensure that poor system and application configurations are not w...
Build it Secure <ul><ul><li>Known </li></ul></ul><ul><ul><li>Configurations </li></ul></ul><ul><ul><li>Start with </li></u...
Keep it Secure <ul><li>What </li></ul><ul><ul><li>Update the Operating System </li></ul></ul><ul><ul><li>Update the applic...
Hybrid/cross cloud security concerns <ul><li>Cloud functionality differences </li></ul><ul><ul><li>This is  the  biggest c...
RightScale  Real Customers, Real Deployments, Real Benefits <ul><li>Managed Cloud Deployments for 4 Years — globally </li>...
What do we Mean by Cloud Computing? RightScale
RightScale Manages IaaS Clouds RightScale
Complete Systems Management
Scalable Web Applications
<ul><li>Dynamic configuration </li></ul><ul><li>Abstract role and behavior from cloud infrastructure </li></ul><ul><li>Pre...
Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (Ce...
<ul><li>Integrated approach that puts together all the parts needed to architect single & multi-server deployments </li></...
What Are Cloud Security Concerns? <ul><li>Your data is mobile — has it moved? </li></ul><ul><li>Who can see your informati...
Trend Micro SecureCloud - How It Works
Policy-based Key Management in the Cloud
Working Together - ServerTemplates <ul><li>Dynamic configuration of environment. </li></ul><ul><li>Predictable deployment....
SecureCloud Demo
Find Out More <ul><li>Web Resources: </li></ul><ul><ul><li>TrendMicro.com/securecloud </li></ul></ul><ul><ul><li>Right Sca...
Thank you!!!  <ul><li>Contact Information </li></ul><ul><li>SecureCloud Product Team </li></ul><ul><ul><li>[email_address]...
Upcoming SlideShare
Loading in …5
×

Securing Sensitive Data in Your Hybrid Cloud

1,457 views

Published on

RightScale Webinar: Do you want both the control and customization of a private cloud and the cost savings of a public cloud? Then a hybrid cloud might be the best solution for your business. But to safely receive these benefits, you’ll need to secure your sensitive data across both your private and public cloud.

Hear about the challenges faced by cloud customers as they deploy applications and data in hybrid clouds. Join Dave Asprey, VP of Cloud Security at Trend Micro, and Phil Cox, Director of Security and Compliance at RightScale, to learn about common pitfalls, inherent risks, and security best practices to protect sensitive information in cross-cloud environments.

With effective and flexible cloud security, you can embrace the economic and technical efficiencies of hybrid clouds, improving your business and saving costs.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,457
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
29
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Poor application security leading to Injection SQL injection was one of the top exploit in the Verizon Data Breach Report Poor system configurations, leading to system compromised Note the recent Windows RDP “exploit”. RDP left open, with Administrator having a well known password. Poor application configuration leading to application compromise Browsers that run scripts automatically Poor user habits leading to compromised credentials, that are then used to access data Users who click on attachments. Zeus bot, FakeAV, etc.
  • Considerations TCP/UDP paths are not guaranteed! From source to destination (initial loads or updates) Across public networks or private? Once in the “cloud” Within Cloud Provider (CP) network where data is stored Crossing CP network where data is stored Within the hypervisor Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: packet manipulation No way to prevent. Can use reliable transports and dedicated connections
  • Can someone: View or Modify it? Yes: Unencrypted, encrypted w/keys So encrypt it , and protect the keys Deny it? Yes: local system access if improper ACL. Improper CP controls Proper ACL for local accounts. No way to prevent CP access. Risk assessment should be performed.
  • Can someone: View or Modify it? Yes: Memory is clear Need to protect running memory from the Instance Need to trust the CP Deny it? No: Not specifically data. Can affect the instance, but really not practical to affect data in memory without affecting running instance stability
  • Trusted Images Windows w/ critical/recommend patch installed to image creation date  Known configurations ServerTemplates Trusted software repositories Frozen repositories Script the install and config RightScripts
  • How Same mechanism as in your enterprise  RightScale can be used to automate/orchestrate where needed, but does not do the patching Windows: Windows Update, SUS, SCOM agent, etc. Think about application patching Linux: Unfreeze repositories OR RightScript to update repository to latest tested Latter probably works better with Change Control Process
  • Securing Sensitive Data in Your Hybrid Cloud

    1. 1. Data Security in the Cloud <ul><li>Leveraging RightScale and </li></ul><ul><li>Trend Micro SecureCloud </li></ul><ul><li>Sept 28, 2011 </li></ul>Watch the video of this webinar
    2. 2. Your Panel Today <ul><li>Presenting </li></ul><ul><li>Uri Budnik , Director, ISV Partner Program, RightScale @uribudnik </li></ul><ul><li>Phil Cox , Director, Security and Compliance, RightScale @sec_prof </li></ul><ul><li>Dave Asprey , VP Cloud Security, Trend Micro @daveasprey </li></ul><ul><li>Q&A </li></ul><ul><li>Jonathan Curtin , Account Manager, RightScale </li></ul><ul><li>Please use the “Questions” window to ask questions any time! </li></ul>
    3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>Data Security Concerns and Best Practices </li></ul><ul><li>RightScale Platform and Dashboard Overview </li></ul><ul><li>SecureCloud Deep Dive </li></ul><ul><li>Q&A </li></ul>
    4. 4. Data Security <ul><li>We will cover … </li></ul><ul><li>Common data exposure vectors </li></ul><ul><li>Security benefits of centralized management </li></ul><ul><li>Unique security needs associated with hybrid and cross-cloud environments </li></ul>
    5. 5. Biggest real risks to data in the cloud? <ul><li>The same things as when your data were not in the cloud. </li></ul><ul><ul><li>Poor application security leading to Injection </li></ul></ul><ul><ul><li>Poor system configurations, leading to system compromised </li></ul></ul><ul><ul><li>Poor application configuration leading to application compromise </li></ul></ul><ul><ul><li>Poor user habits leading to compromised credentials, that are then used to access data </li></ul></ul>
    6. 6. Common data exposure vectors in the cloud Data is typically exposed in the following three states: In Process At Rest In Transit
    7. 7. We must protect data “In Transit” <ul><li>Why? </li></ul><ul><ul><li>You do not want the bad guys to see or modify your data </li></ul></ul><ul><ul><li>You can ’t guarantee the path your data will take </li></ul></ul><ul><ul><li>You may have regulatory or contractual requirements to do so </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Sniffing along the path </li></ul></ul><ul><ul><li>Modification of existing data </li></ul></ul><ul><ul><li>Injection of new data </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Application Transport (SSL & TLS) </li></ul></ul><ul><ul><li>VPN (SSL, IPSEC, PPTP, L2TP) </li></ul></ul><ul><ul><li>App level data encryption (custom) </li></ul></ul>Map of Internet Traffic
    8. 8. We must protect data “At Rest” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li>Disclosure </li></ul></ul><ul><ul><li>Modification </li></ul></ul><ul><ul><li>Injection </li></ul></ul><ul><li>Risks </li></ul><ul><ul><li>Intrusion into Instance/Guest exposes data on its filesystem </li></ul></ul><ul><ul><li>Cloud provider access to ephemeral storage (e.g., EBS, SWIFT) </li></ul></ul><ul><ul><li>Cloud provider access to other storage options (e.g., S3, CloudFiles) </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Protection offered by running operating system (Access Control Lists) </li></ul></ul><ul><ul><li>*Encryption (and Key Management)* </li></ul></ul><ul><ul><li>SLA and Policies/Processes of the Cloud provider </li></ul></ul>
    9. 9. We must protect data while “In Process” <ul><li>Why? Same as previous: You do not want unauthorized </li></ul><ul><ul><li>Disclosure </li></ul></ul><ul><ul><li>Modification </li></ul></ul><ul><ul><li>Injection </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>Data is in clear in the memory of the Instance </li></ul></ul><ul><ul><li>Privileged users on a system can read memory </li></ul></ul><ul><ul><li>Hypervisor has access to instance memory </li></ul></ul><ul><li>Common Solutions </li></ul><ul><ul><li>Protect the system that is processing </li></ul></ul><ul><ul><li>Protect the hypervisor running the Instance </li></ul></ul><ul><ul><li>Limit administrative users </li></ul></ul>
    10. 10. Where RightScale shines <ul><li>RightScale can be used to ensure that poor system and application configurations are not what cause you to lose your data </li></ul><ul><li>Use RightScale to: </li></ul><ul><ul><li>Require data to be transmitted securely </li></ul></ul><ul><ul><li>Require data be stored securely </li></ul></ul><ul><ul><li>Ensure systems are appropriately patched and configured to minimize exposures </li></ul></ul><ul><li>The core technologies are </li></ul><ul><ul><li>RightImages </li></ul></ul><ul><ul><li>ServerTemplates </li></ul></ul><ul><ul><li>RightScripts </li></ul></ul><ul><ul><li>Repo’s and Mirrors </li></ul></ul><ul><li>Security Motto: “Build it secure, keep it secure!” </li></ul>
    11. 11. Build it Secure <ul><ul><li>Known </li></ul></ul><ul><ul><li>Configurations </li></ul></ul><ul><ul><li>Start with </li></ul></ul><ul><ul><li>Multi-Cloud </li></ul></ul><ul><ul><li>Images </li></ul></ul><ul><ul><li>Build with </li></ul></ul><ul><ul><li>ServerTemplates </li></ul></ul><ul><ul><li>Modify with </li></ul></ul><ul><ul><li>RightScripts </li></ul></ul><ul><ul><li>Build from </li></ul></ul><ul><ul><li>Frozen Repos </li></ul></ul>What How <ul><ul><li>Use Trusted Images </li></ul></ul><ul><ul><li>Script the install </li></ul></ul><ul><ul><li>and configuration </li></ul></ul>Trusted Repository
    12. 12. Keep it Secure <ul><li>What </li></ul><ul><ul><li>Update the Operating System </li></ul></ul><ul><ul><li>Update the applications </li></ul></ul><ul><ul><li>Validate the configuration </li></ul></ul><ul><li>How </li></ul><ul><ul><li>You can use the same mechanism as in your enterprise </li></ul></ul><ul><ul><ul><li>*OR* </li></ul></ul></ul><ul><ul><li> Use operational RightScripts to do it for you </li></ul></ul><ul><ul><ul><li>*OR* </li></ul></ul></ul><ul><ul><li>Use a partner ISV that specializes in that service </li></ul></ul>
    13. 13. Hybrid/cross cloud security concerns <ul><li>Cloud functionality differences </li></ul><ul><ul><li>This is the biggest concern in a non-homogeneous environment </li></ul></ul><ul><ul><li>Security features are different in scope and implementation for basically all different cloud orchestration technologies </li></ul></ul><ul><ul><li>Identity and Access Management features differ </li></ul></ul><ul><ul><li>Log levels and information differ </li></ul></ul><ul><li>Applying consistent builds throughout </li></ul><ul><ul><li>Think of the term “security group”, then define what that means in all the clouds you will use? </li></ul></ul><ul><ul><li>How do you manage them consistently? </li></ul></ul><ul><li>Physical protections will differ from provider to provider </li></ul><ul><ul><li>You will need to take this into consideration when looking at controls to implement </li></ul></ul>
    14. 14. RightScale Real Customers, Real Deployments, Real Benefits <ul><li>Managed Cloud Deployments for 4 Years — globally </li></ul><ul><li>More than 45,000 users; launched more than 3MM servers! </li></ul><ul><li>Powering the largest production deployments on the cloud </li></ul>
    15. 15. What do we Mean by Cloud Computing? RightScale
    16. 16. RightScale Manages IaaS Clouds RightScale
    17. 17. Complete Systems Management
    18. 18. Scalable Web Applications
    19. 19. <ul><li>Dynamic configuration </li></ul><ul><li>Abstract role and behavior from cloud infrastructure </li></ul><ul><li>Predictable deployment </li></ul><ul><li>Cloud agnostic / portable </li></ul><ul><li>Object-oriented programming for sysadmins </li></ul>ServerTemplates
    20. 20. Parenthesis : What are ServerTemplates? Custom MySQL 5.0.24 (CentOS 5.2) Custom MySQL 5.0.24 (CentOS 5.4) MySQL 5.0.36 (CentOS 5.4) MySQL 5.0.36 (Ubuntu 8.10) MySQL 5.0.36 (Ubuntu 8.10) 64bit Frontend Apache 1.3 (Ubuntu 8.10) Frontend Apache 2.0 (Ubuntu 9.10) - patched CMS v1.0 (CentOS 5.4) CMS v1.1 (CentOS 5.4) My ASP appserver (windows 2008) My ASP.net (windows 2008) – security update 1 My ASP.net (windows 2008) – security update 8 SharePoint v4 (windows 2003) – 32bit SharePoint v4 (windows 2003) –64bit SharePoint v4.5 (windows 2003) –64bit … Configuring servers through bundling Images: A set of configuration directives that will install and configure software on top of the base image Configuring servers with ServerTemplates: CentOS 5.2 CentOS 5.4 Ubuntu 8.10 Ubuntu 9.10 Win 2003 Win 2007 Base Image Very few and basic
    21. 21. <ul><li>Integrated approach that puts together all the parts needed to architect single & multi-server deployments </li></ul>ServerTemplates VS.
    22. 22. What Are Cloud Security Concerns? <ul><li>Your data is mobile — has it moved? </li></ul><ul><li>Who can see your information? </li></ul><ul><li>Who is attaching to your volumes? </li></ul><ul><li>Do you have visibility into who has accessed your data? </li></ul>
    23. 23. Trend Micro SecureCloud - How It Works
    24. 24. Policy-based Key Management in the Cloud
    25. 25. Working Together - ServerTemplates <ul><li>Dynamic configuration of environment. </li></ul><ul><li>Predictable deployment. </li></ul><ul><li>Identity and integrity checking of environment. </li></ul><ul><li>Data remains encrypted throughout the cloud. </li></ul><ul><li>Key Management separate from cloud provider. </li></ul>
    26. 26. SecureCloud Demo
    27. 27. Find Out More <ul><li>Web Resources: </li></ul><ul><ul><li>TrendMicro.com/securecloud </li></ul></ul><ul><ul><li>Right Scale.com / webinars </li></ul></ul><ul><ul><li>Right Scale.com / whitepapers </li></ul></ul><ul><li>Blogs: </li></ul><ul><ul><li>CloudSecurity.TrendMicro.com </li></ul></ul><ul><ul><li>Blog.RightScale.com </li></ul></ul><ul><li>Follow us on Twitter </li></ul><ul><ul><li>@daveasprey </li></ul></ul><ul><ul><li>@uribudnik </li></ul></ul><ul><ul><li>@sec_prof </li></ul></ul>
    28. 28. Thank you!!! <ul><li>Contact Information </li></ul><ul><li>SecureCloud Product Team </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>RightScale </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>1-866-720-0208 </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>

    ×