The document discusses various aspects of cloud security, focusing on the differences between public and private cloud models, including their security approaches. It highlights the need for trust, control, and compliance in cloud services, emphasizing that organizations may face risks due to unmanaged cloud services and the outsourcing of critical processes. Furthermore, it outlines key recommendations for improving security and managing risks in cloud environments.

1. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Jean-François Pujol
Cisco Systems
Cloud Security

2. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 2© 2008 Cisco Systems, Inc. All rights reserved. Cisco SystemsPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community
Cloud
Quick reminder :
Cloud Deployment Model
Public Cloud
Cloud infrastructure made available to the
general public.
Private Cloud
Cloud infrastructure operated solely for an
organization.
Virtual Private
Cloud
Cloud services that simulate the private
cloud experience in public cloud
infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or
more clouds that interoperate or federate
through technology
Community
Cloud
Cloud infrastructure shared by several
organizations and supporting a specific
community
NIST
Deployment
Models

3. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 3
Public vs. Private Cloud Security
While the technology basement remains the same, we
may consider two different approaches to the problem :
 Public Cloud :
– Delegation versus Trust
 Private Cloud :
– Abstraction / Virtualization versus Complexity

4. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 4
Considerations about the
Public Cloud Security

5. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 5
The New World : Shifting Borders
IT Consumerization
Device
Border
Mobile
Worker
Location
Border
Internal Applications
IaaS,SaaS
Application As A Service
Application
Border

6. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 6
The (not so) New World : Location Border
Mobile
Worker
Location
Border
Internal Applications

7. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 7
Traditional Corporate Border
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers

8. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 8
Now with Mobile Users and VPNs
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User

9. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 9
With Mobile Users when
not protected by VPNs…
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User

10. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 10
The New World : Application Border
Internal Applications
IaaS,SaaS
Application As A Service
Application
Border

11. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 11© 2008 Cisco Systems, Inc. All rights reserved. Cisco SystemsPresentation_ID
...Everything is Cloud
The Consumer’s View of Cloud

12. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 12
These Cloudy Days …
 Internet is reliable
 Cloud services are well known in the consumer market,
and the consumer market creates some pressure in the
enterprise world.
 Is LinkedIn a consumer/personal or business service ?
 Enterprises are turning every single task into a process.
It creates a strong traction for adopting services (OPEX
vs CAPEX)

13. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 13
Organizations don’t have even the
choice …

14. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 14
Organizations don’t have even the
choice …

15. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 16
Organizations don’t have even the
choice …

16. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 17
Organizations don’t have even the
choice …

17. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 18
Organizations don’t have even the
choice …

18. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 19
First security concern
 Enterprises are using unmanaged cloud services today
– in a more or less control way
 On public and (almost) free consumer platforms :
– No real control over the corporate image
– Risks of information leakage
– Risks of misleading
– Risks of Social Engineering attacks

19. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 20
Global trend for outsourcing
 Every business process is analyzed :
– Down to a single application
– Down to any individual
 If you can define it, measure it, and it is not a core
business activity, you want to outsource it

20. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 21
Can you afford to manage the risk ?
Imagine you have :
 A couple of consultants
 Employees under temporary contract
 A complete department is outsourced (Dev, Marketing,
etc…)
 Datacenter exploitation is outsourced
 Networks, servers, premises, and people are
outsourced
 Cloud based services

21. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 22
Key to Broader Adoption of Cloud: Trust
Before the Economics of Cloud Computing Can be Considered,
Organizations Require a Trusted Service Infrastructure
Security Control
Service-Level
Management
Compliance

22. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 23© 2008 Cisco Systems, Inc. All rights reserved. Cisco SystemsPresentation_ID
Enterprise Deployment Models
Distinguishing between Ownership and Control
Ownership
Control
Internal Resources
All cloud
resources
owned by or
dedicated to
enterprise
External Resources
All cloud
resources owned
by providers;
used by many
customers
Private Cloud
Cloud definition/
governance
controlled by
enterprise
Public Cloud
Cloud definition/
governance
controlled by
provider

23. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 24
Data
App
VM
Server
Storage
Network
Dedicated IT
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Hosting Provider Public Iaas Public Paas Public Saas
Organization shares control
with service providerOrganization has control Service provider has control
Control and Trust evolve with cloud

24. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 25
What This Means To Security
Amazon EC2 - IaaS
The lower down the stack the Cloud provider
stops, the more security you are tactically
responsible for implementing & managing
yourself.
Salesforce - SaaS
Google AppEngine - PaaS

25. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 26
The Cloud Security Alliance’s 13 Critical Areas Of Focus for Cloud:
1. Architecture & Framework
Governing the Cloud Operating the Cloud
2. Governance & Risk Mgmt 8. Traditional BCM, DR
3. Legal & Electronic Discovery 9. Datacenter Operations
5. Compliance & Audit 10. Incident Response
6. Information Lifecycle Mgmt 11. Application Security
7. Portability & Interoperability 12. Encryption & Key Mgmt
13. Identity & Access Mgmt
www.cloudsecurityalliance.org
Cloud Security Alliance - Guidance

26. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 27
The Cloud Security Alliance’s Top Threats to Cloud Computing V1.0 :
www.cloudsecurityalliance.org
Cloud Security Alliance
Top Threats to Cloud Computing
1. Abuse and Nefarious Use of Cloud
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology
5. Data Loss or
6. Account or Service Hijacking
7. Unknown Risk Profile

27. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 28
Some important factors to consider
for the service
 Single Tenancy / Multi-tenancy
 Isolated Data / Co-mingled Data
 Dedicated Security / Socialist Security
 On-premise / Off-premise

28. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 29
CloudAudit & the A6 Deliverable
 Provide a common interface
and namespace that allows
cloud computing providers to
automate the Audit, Assertion,
Assessment, and Assurance
(A6) of their environments
 Allow authorized consumers of
services to do likewise via an
open, extensible and secure
interface and methodology.
http://www.cloudaudit.org

29. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 30
That is the question …
 May your private organization be potentially
more secure than a public cloud service ?
 (and/or cheaper …)

30. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 31
Saleforce.com
82 000 + customers …

31. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 32
Saleforce.com
82 000 + customers …

32. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 33
Could you Trust Force.com ?

33. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 34
Force.com Security Literature

34. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 35
Security recommendations
 1# educate your users
 2# Identify your primary security contact
 3# Secure Employee Systems
 4# Implement IP restrictions
 5# strengthen password policies
 6# require secure sessions
 7# Decrease session timeout value
Reference: http://wiki.developerforce.com/index.php/
An_Overview_of_Force.com_SecuritySecurity
Webinar : https://salesforce.acrobat.com/securitywebinar

35. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 36
The New World : Device Borders
IT Consumerization
Device
BorderInternal Applications
Are they still corporate assets ?

36. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 37
Desktop Virtualization is part of the
Security Journey

37. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 38
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
Shop
Customers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a Service
X
as a Service
Software
as a Service
Concern: Security in a Cloud World

38. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 39
Branch
Office
Corporate
Office
Home
Office
SaaS Access Control
Regaining Visibility and Control Through Identity
SAML-
basedAnyConnect
Secure
Mobility Client
Visibility | Centralized Enforcement | Single Source Revocation
Redirect @ Login
SaaS
Single
Sign On
Web
Security
Appliance
Directory

39. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 40
AnyConnect Secure Mobility Vision
On-Premise Gateway or Cloud Policy Enforcement
Cisco
Cisco
Web Security Appliance
ASA
The image cannot be
displayed. Your
computer may not have
enough memory to open
the image, or the image
may have been
corrupted. Restart your
computer, and then
open the file again. If
the red x still appears,
you may have to delete
the image and then
insert it again.
Social Networking
Enterprise SaaS
News
EmailIntegration
of ScanSafe’s client
ON-PREMISE
AnyConnect

40. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 41
Mobile Users and Secured Cloud Access
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User
Enterprise SaaS

41. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 42
Non Secured Users Should Be Filtered
Out
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User
Enterprise SaaS

42. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 43
Public Services Access Can Be
Filtered Out
https://na1.salesforce.com/help/doc/en/salesforce_security_impl_guide.pdf

43. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 44
Considerations about the
Private Cloud Security

44. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 45
Trusted
Controlled
Reliable
Secure
CLOSED
First days of a Private Cloud
Anchored on Trust & Control

45. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 46
Highly Virtualized
Data Centers and
Cloud Computing
Trusted
Controlled
Reliable
Secure
Flexible
Dynamic
On-demand
Efficient
Cloud Computing
Targeting Agility and Efficiency

46. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 47
Virtualization & Cloud Driving New
Requirements in Data Center
VDC-1
VDC-2
Hypervisor
App
OS
App
OS
App
OS
Dedicated
Network
Services
Firewall SLB/ADC WAN Opt
Virtual Service Nodes (VSNs)
• Virtual appliance form factor
• Dynamic Instantiation/Provisioning
• Service transparent to VM mobility
• Support scale-out
• Large scale multi-tenant operation
• Application-specific
services
• Form factors:
• Appliance
• Switch module
Virtual Network Services

47. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 48
Fully Inter-connected Network Services
Vision
ASA
SIA
Nexus 1000V
SIA
Inter-connected
services across
physical and virtual
environments
SIA: Service Insertion Architecture
VSN
vPath
SIA
SIA
Distribution Layer
Services
Virtual Network
Services
VSN

48. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 49
Data Center Security Challenges
 Virtualization
 Applications
 Data Loss
 Compliance
 Availability

49. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 50
Cloud-Specific Issues Emerging
 Organizational & Operational Misalignment
 Monoculture of Operating Systems, Virtualized
Components & Platforms
 Privacy Of Data/Metadata, Exfiltration and
Leakage
 Inability to Deploy Compensating or Detective
Controls
 Segmentation & Isolation In Multi-tenant
environments...

50. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 51
Cloud Happiness
 Centralized Data (sort of...)
 Segmented data/applications
 Better Logging/Accountability
 Standardized images for asset deployment
 Better Resilience to attack & streamlined incident
response
 More streamlined Audit and Compliance
 Better visibility to process
 Faster deployment of applications, services, etc.
The Cloud can provide the following security benefits:

51. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 52
Key Takeaways

52. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 53
Key Takeaways
(From A Customer’s Perspective)
 Have a risk assessment methodology, classify assets and
data.
 Interrogate vendors and providers; use the same diligence that
you would for outsourced services today; focus on resilience/
recovery, SLA’s, confidentiality, privacy and segmentation.
 The challenge is to match business/security requirements
against the various *aaS model(s)
 Each of the *aaS models provides a delicate balance of
openness, flexibility, control, security and extensibility
 Regardless of the model, you are still responsible for some
element of security

53. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 54
References
 Cloud literature on Cisco.com
http://www.cisco.com/en/US/netsol/ns976/index.html
 Cloud Computing Google Groups:
 Cloud Computing
http://groups.google.com/group/cloud-computing
 Cloud Computing Interoperability Forum
http://groups.google.com/group/cloudforum
 Cloud Storage
http://groups.google.com/group/cloudstorage
 Attend a local
 Join the Cloud Security Alliance & CloudAudit...

54. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 55