Oded Tsur - Ca Cloud Security

WHEN
TITLE

IS
NOT
A

Security QUESTIO

management to, for,
and from the cloud
CA’s Cloud Security Capabilities & Strategy

Oded Tsur CISSP
Sr. Solution strategist
N
O
‘WE
CAN’

Cloud - Next Wave of IT Architectures

2 Copyright © 2010 CA. All rights reserved.

Many Have Adopted Some Cloud Services
Some Have Adopted Many Cloud Services

Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute, May 12, 2010
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf


Why Adopting the Cloud?
To Save $ & Time



Who is Responsible For Security?



Do You know Your Cloud Services?



IAM is #1 Area of Focus for Migration



What is the Cloud?

SaaS Public Cloud

PaaS Hybrid Cloud

IaaS Private Cloud


Identity & Access Management - Defined

Security
Policy

- REDUCED IDENTITIES
MANY IDENTITIES MANY USERS MANY APPLICATIONS CENTRALIZED
MANY ADMINS
-  Easier administration
ADMINISTRATION
-  Single Sign-on -  Centralized Security
ˉ  Reduced admin costs
-  Reduced Costs -  User self-service -  Easier app dev
ˉ  Consistent admin across platforms
-  Improved auditing for easier
compliance ˉ  Automation of IT processes

Un Structured Physical Boundaries

— VM Mobility beyond the server room
− VMs can be copied, or cloned
− Machine memory is accessible from the host
− Disc space can be accessed from storage
— Challenging Physical Security
− Copying a VM = Stealing a server from the server room
− The virtual DC is distributed – Not a mainframe

11

The 4th Dimension - Time

— What happens when we revert to snapshot?
− LOST Audit Events
− LOST configuration
− LOST Security Policy
— Am I Still Compliant with my Policy?

12

Cloud Model Drives Security Implications
Control .vs. Visibility

Diagram from Burton Group report, Cloud Computing Security in the Enterprise, July 2009


Private Clouds
are a Modern
Form of
Dedicated IT?



How do I manage
my user’s SaaS
accounts & their
access?

How do I collect
& analyze SaaS
security logs?



How do I define &
enforce access
policies in PaaS
applications
without creating
more security
silos?



How do I control
privileged users
in IaaS…both
theirs & ours?


IAM & Trust Before Cloud

— Trust established between the user & enterprise
−  Or between user & each application when applications are silo-ed

— IAM is deployed on-premise

Enterprise

Corporate

Directory

“Iden4ty

Provider”
Public

IAM
User
Remote user

In-‐house

Applica4ons


Cloud Adoption & IAM

1 Extend Enterprise Security To the Cloud

2 Security For Cloud Providers

3 Security From the Cloud

Trust Models Will Need to Change


1 Extend Enterprise Security to the Cloud

q  Enterprises will use more SaaS applications & Cloud services
q  Trust model will be between user & enterprise
q  The On-Premise IAM system “extends” out to the Cloud
Ø  Provisioning and SSO to SaaS Applications
Ø  Cloud Web Services for Mashing Applications
Ø  Access Governance (certification & attestation) extends to Cloud
Ø  Log Collection of Cloud applications Public

Enterprise LAN
Corporate Remote user
Directory
“Identity
Provider”

IAM
User
Dir

Dir

Dir



Need to…
Provision users to SaaS Applications (SFDC, Google, etc)
SSO (SAML-based) & Access Control to SaaS Applications
Access Control to Cloud-based Web Services for building
mashed applications
Log access to SaaS Applications
Control information while using SaaS Applications



Need to… Solution
Provision users to SaaS Applications (SFDC, CA Identity Manager
Google, etc)
SSO (SAML-based) & Access Control to SaaS CA SiteMinder
Applications CA Federation Manager
Access Control to Cloud-based Web Services CA SOA Security
for building mashed applications Manager
Log access to SaaS Applications CA Enterprise Log
Manager
Control information while using SaaS CA DLP
Applications


2 Security to enable Cloud Providers
q  Enterprises providing private clouds & Organizations providing public clouds
q  Security improvements needed to become more trusted
Ø  Need to provide effective security controls
Ø  Need to prove their controls through real time reporting
Public Cloud
Ø  Increase transparency of policies
App 3
App 3 App 1 App 1 App 2
App 3 Customer 1 Customer 2 Customer n

Enterprise Private Cloud
App 3

App 3 Hyper Visor
App 1 App 2 App 3

Hardware

Hyper Visor
IAM
Hardware

IAM


2 Entire CA IAM Solution for the Cloud
The control you need to confidently drive business forward

Control Control Control
Identities Access Information

Manage and govern Control access to systems Find, classify and control
Focus identities and what they & applications across how information is used
can access based on physical, virtual & cloud based on content and
their role environments identity

§ CA Role & Compliance Mgr § CA Access Control § CA DLP
Products § CA Identity Manager § CA SiteMinder
§ CA Enterprise Log Manager § CA Federation Manager
§ CA SOA Security Manager

Content Aware Identity and Access Management


Security to enable Cloud Providers
2 Support Virtualization & extend control to the hypervisor

— Support Virtualization
−  Secure Virtual Machines
−  Log Collection from Virtual Machines
−  Secure Privileged Partitions
— Manage Complexity
−  Deployment (Security encapsulation)
−  Automation
−  Extend Policy Management
— Repeatable Compliance
−  Control Identities, Access and Information
−  Transparency of Access and Logs
−  Cloud-Provider specific compliance requirements (eg. SAS-70)


3
Security from the Cloud
Identity Services from the Cloud
q  Eventually even user Identity (proofing, authentication,
authorization/SSO, provisioning…) can be managed by a Cloud
Service
q  Trust will be very different
Cloud IM Service
Ø  User to Cloud security service
“Identity Public
ProvideR”

Enterprise
Corporate Remote user
Directory
“Identity
Provider”
IAM App

User
Dir

Dir

In-house
Dir
Applications


Cloud Adoption & IAM

1 Extend Enterprise Security To the Cloud

2 Security For Cloud Providers

3 Security From the Cloud


TIT
E
IS
A
Q&A QUES

oded.tsur@ca.com

‘WE
CAN
ANSW
IN BO

Oded Tsur - Ca Cloud Security

More Related Content

What's hot

Viewers also liked

Similar to Oded Tsur - Ca Cloud Security

Oded Tsur - Ca Cloud Security