This document discusses building confidence in cloud security. It outlines challenges in cloud computing like loss of physical controls and new attack surfaces. It proposes making cloud security equal to or better than traditional enterprise security by securing connections, applications/data/traffic, and devices. The document also discusses extending security policies to virtualized and private clouds and providing visibility and control across cloud infrastructures. Finally, it discusses McAfee's datacenter security solutions for servers, virtual machines, and databases.

1. Creating Cloud Confidence
Greg Brown
VP, CTO - Cloud and Data Center Solutions
www.mcafee.com/networksecurity
greg_brown@mcafee.com
August 2012

2. Can I Borrow $20?
How About $100,00?
2 August 28, 2012

3. And Now?
3 August 28, 2012

4. Should We Think About Data Center the Same Way?

5. Can We Apply the Security Here?

6. Challenges
Loss of Physical Controls
• Fotostock

7. Challenges
Loss of Physical Controls
• Fotostock

8. Challenges
New Attack Surfaces
Data
Application
OS
Provisioning Hypervisor
Platform
BIOS
Processor

9. Challenges
New Attack Surfaces
Data Data
Application Application
OS OS
Provisioning Hypervisor
Platform
BIOS
Processor

10. Challenge
Extending Compliance
VIRTUALIZED
PHYSICAL MFR | ENG | HR
CLOUD
Company A Company B
MFR ENG HR

11. Building Foundation of Client to Cloud Security
Cloud Security Mission: Worry-Free Cloud Computing
Make cloud security equal to or better than traditional best in class enterprise security
Public/Private Clouds User & Intelligent Devices
(Servers, Network, Storage)
Private
Cloud
Secure the Connections
Public Apps, data, traffic
Cloud
Secure Cloud Datacenters Secure the Devices
Infrastructure & data protection, Identity, device integrity & data
audit/compliance protection
Common Security Standards & Broad
Industry Collaboration
Hardware-enhanced security + software & services key to achieve mission
11
McAfee Confidential

12. Up and Down – Integrity
Server Infrastructure
Intel Identity Theft Protection (ITP) Endpoint Aware Integrity
Client/cloud mutual trust
EMM/MMS, NG Endpoint
Real-time Integrity
Continuous monitoring GTI
Security Stack Integrity MOVE, McAfee Application
Security systems operational Control, & Change Control
Intel Virtualization Technology (VT) VM Integrity
SIA – Vendors
Ensure all VMs are “known good”
Location & Asset Control
Control workload location
Intel Trusted Execution Technology
Host Integrity
(TXT)
Ensure server is “known good”
External Assessment McAfee SiteAdvisor Enterprise
and Reputation
McAfee Cloud Secure
Digital Certificates
Validate web server is authentic
Will deliver on-going advancements to hardware & software security for greater controls & auditability
12

13. Extending Security to the Virtual Cloud World
Virtualized and Private Cloud Data Public Cloud Data
Center Center
Extended Security Policy
Isolate, protect, control VMs Company
Intel Virtualization Tech., Intel Trusted Execution Tech., A
Mfg Sales McAfee MOVE AV*
HR Sales Company Company
Provide visibility & reporting B C
VMM
Apply security policy at multiple control
points
Monitor workloads across cloud
infrastructures
McAfee ePO, Intel TXT
McAfee ePO1
Intel Trusted Execution Technology Intel Trusted Execution Technology
is run: Server “known good” is run:
“issue identified”
1 Integrating McAfee ePolicy Orchestrator (ePO) with Intel TXT requires custom integration work
13
McAfee Confidential *McAfee MOVE AV = McAfee Management of Optimized Virtualized Environments Anti-Virus

14. McAfee Datacenter Security
The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Security Management
14

15. McAfee Datacenter Security
The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Comprehensive Security for Servers
Blacklisting – Advanced Anti-Malware Protection
McAfee Virus Scan Enterprise
Whitelisting – Complete protection from malicious codes
and applications
McAfee Application Control
Security Management
System Control – Server configuration control and
tracking against internal “gold standards”
McAfee Change Control
Virtualization – Advanced Anti-malware protection
extended to the Virtual Machines
McAfee MOVE-AV
15

16. McAfee Datacenter Security
The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Reliable Real-Time Protection for Business-Critical Databases
Database discovery and comprehensive Vulnerability
Assessment
McAfee Vulnerability Manager
for Databases
Non-intrusive, real-time database visibility &
Security Management
protection across all threat vectors
McAfee Database Activity Monitoring
Patch databases without downtime
McAfee Virtual Patching for Databases
16

17. McAfee Datacenter Security
The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Industry leading next generation Network Protection Solutions
Protection of network connected devices against
targeted attacks
McAfee Next Generation IPS
High-assurance strong next-generation firewall
capabilities, including application visibility
Security McAfee Next Generation Firewall
Management
Advanced threat response, behavioral analysis and
access control solutions for the network
McAfee Network Threat Response, McAfee Network
Access Control and McAfee Network Threat Behavior
Analysis
17

18. McAfee Datacenter Security
The Heart of a Flexible, Efficient, Secure Next Generation Data Center
Comprehensive Security for Storage Devices
Continuous protection for storage devices and their
data
Security Management Scan, detect and quarantine
files on NAS storage devices (NetAPP,
EMC, Hitachi, Sharepoint, etc.)
McAfee Virus Scan Enterprise - Storage
18

19. McAfee Data Center Security
The Heart of a Flexible, Efficient, Secure Data Center
Unified Security Management and Powerful Threat Intelligence
High-performance security information and event
management (SIEM) solutions for complete visibility and
situational awareness to protect critical information and
infrastructure
McAfee SIEM
Single Management Console for McAfee Security
Products and over 130 partner integrated Products
Security
Management McAfee ePO
Comprehensive threat intelligence from over 150
million sensors across the web, channeled into all products in
real time
McAfee Global Threat Intelligence
19

20. Connecting to the Cloud With Confidence
• Flexible deployment options –
Cloud Ecosystem On-premise, Saas or virtual
• Protection and policies across Email and
Email Data Loss Web Identity
Web Channels
Security Prevention Security Management
• Confidence to migrate data safely to public
Global Threat Intelligence cloud
McAfee ePolicy Orchestrator • Unify identity policies across SaaS and
federated solutions
Enterprise
Mobile Enterprise Private Cloud
Users Users Applications
20

21. McAfee’s Tailored Data Protection Methodology
1
•1 Discover and Learn
Find all your sensitive data wherever it may be
2 •2 Assess Risk
Ensure secure data handling procedures are
in place
•3 Define Effective Policies
5 Create policies to protect data and test them
for effectiveness
•4 Apply Controls
Restrict access to authorized people and limit
transmission
3 •5 Monitor, Report and Audit
Ensure successful data security through
4 alerting and incident management
21

22. Cloud Identity Manager
Account
SSO Provisioning Strong Auth
Laptop Access 100s of
External SaaS Apps
User
Mobile McAfee Cloud
Identity Manager
Internal User
Any Device
Any Time
Any Where
AD, LDAP, Database, SAML IdP, OpenID, etc.

23. Security and Cloud Adoption
CLOUD
VIRTUALIZED
IaaS PaaS
PHYSICAL
MFR | ENG | HR
• Enable Adoption
MFR ENG HR
• Ensure Compliance
• Unified Security
Process
• Optimized
• Sustained investment Performance
• Continuous Protection

25. Usage Case
Financial Transaction Clearinghouse
Financial Institution Service Provider
Financial Transaction Records Clearing House
FW/DLP/
…
Bot
FW: Protocol Secure ✔
FW: Intended Destination ✔
There is no model to create awareness of the health of the system receiving the data. This is generally true of all systems outside the
perimeter
25 August 28, 2012

26. Financial Transaction Clearinghouse
Financial Institution Clearing House
Healthy
Assessment
Financial Transaction Records
FW
Data transmitted based
on health measure of
service.
FW: Protocol Secure ✔ ✔
FW: Intended Destination ✔
McAfee is well positioned both in technology assets and in brand permission to become the standard for conveying system integrity
across management domains.
26 August 28, 2012

27. Trapezoid RSA Demo
Enabling Private Cloud Adoption
ePO is not aware of Hypervisor
or physical sever risks ePO
Once the application server is built the the system
admin turns it over to the DC operations team to
deploy on the PRIVATE CLOUD infrastructure.
Provisions virtual
Hypervisor The system admin is blind to all of the underlying
sever to DC
Server infrastructure.
System Admin in finance builds new ePO has no visibility into the
payroll application on virtual server hypervisor or the infrastructure today.
Corporate
27 Data Center

28. Sample Usage Case
Enabling Public Cloud Adoption
3. Customer ePO queries
ePO GTI for integrity
2. ePO sends integrity to GTI
Cloud Provider
4. Payroll application reported ePO
compliant while running in
Public Cloud
1. TXT signals TRUSTED Hypervisor
to ePO
Provisions virtual DC Ops Pushes virtual
sever to DC Hypervisor sever to Cloud Provider Hypervisor
Server Server
TRUSTED TRUSTED
Safe Private Cloud Enabled Safe Public Cloud Enabled
Net Result:
- CIO public cloud objectives
enabled
- Cloud provider preferred over
others – Greater Value! Corporate Public Cloud
Data Center Data Center

29. Cut Costs And Increase The Level of
Content And Data Protection
• Proliferation of Technology at The Gateway
– Adoption of point solutions has increased operational costs
Firewall
Proxy Cache Anti- Web URL SSL InspectionInstant Messaging Users and
Virus Exploit Filter Inspection Data
Protection
29 McAfee Web Gateway

30. Types of SSO Connectors
SAML • SAML2 or SAML 1.1 federation
Proprietary • custom method supported by the target application
Agent • agent needs to be installed on the target app. Java,
.NET, and PHP agents available today
HTTP-Post • username/password are captured during first login,
and automated HTTP form post is performed in
subsequent logins

31. Front-end Authentication into Cloud Identity Manager
Username/Password • User store - Directory (AD / LDAP), Database, CAS
• OTP (built-in)
2-factor authentication • Facial Recognition (through partner BioID)
• AD IWA
First mile SSO • 3rd party IdM session (such as CA Siteminder)
• Accept SAML assertion
• Facebook
Internet Identity • OpenID (Google, Yahoo, Paypal, etc.)
Providers • SAML (Salesforce)

32. Strong Authentication Features
Software OTP
• Coverage across multiple devices
and delivery methods
• Simple & fast to roll out with user
self enrollment
– Mobile Token - Pledge
– USB Key - YubiKey
– Email
– Runs on all platforms: iPhone,
BlackBerry, WinMobile, etc.
Silicon OTP
• IPT - Secure ME layer in Intel chip
• “hardens” software OTP
• Attest that SSO came from corp issued
laptop
Embedded in Ultra Books
Deliver a more secure Cloud SSO by invoking strong auth from
hardware or mobile software clients