Addressing the new security challenges posed by virtualisation & cloud computing - Rik Ferguson, Senior Security Advisor, Trend Micro

1. Addressing the new security challenges posed by virtualisation & cloud computing Rik Ferguson • Senior Security Advisor

3. Ubiquitous network access

4. Location independent resource pooling

5. Rapid elasticity

7. Security: the #1 Cloud Challenge

8. Who Has Control? Servers Virtualization & Private Cloud Public Cloud PaaS Public Cloud IaaS Public Cloud SaaS End-User (Enterprise) Service Provider

9. Amazon Web Services™Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (3 March 2010) The cloud customer has responsibility for security and needs to plan for protection.

10. The Evolving Datacentre Stage 1 Consolidation Stage 2 Expansion & Desktop Stage 3 Private > Public Cloud Cost-efficiency  + Quality of Service  + Business Agility  Servers 85% 70% 30% Virtualization Adoption Rate Desktops 15% Datacentres are evolving to drive down costs and increase business flexibility

11. Security Challenges in the Cloud Stage 1 Consolidation Stage 2 Expansion & Desktop Stage 3 Private > Public Cloud Cost-efficiency  + Quality of Service  + Business Agility  Servers 85% 70% 30% Virtualization Adoption Rate Desktops Inter-VM attacksInstant-ON gapsMixed Trust Level VMsResource ContentionMaintaining ComplianceService Provider (in)SecurityMulti-tenancy 15% Inter-VM attacksInstant-ON gapsMixed Trust Level VMsResource ContentionMaintaining Compliance Inter-VM attacksInstant-ON gaps

12. The Enterprise Cloud Conundrum:The Cloud is Fantastic, but… How can I maintain control of my data in the cloud? What if I want to change cloud vendors? How can I verify my data is “destroyed” when terminating a service provider? What happens if my service provider goes out of business? How can I comply with security best practices, internal governance and compliance rules in the cloud? How can I guarantee only I have access to my data?

13. Challenges for Public Cloud Multiple customers on one physical server – potential for attacks via the hypervisor Shared network inside the firewall Internet Shared Storage Shared Firewall Shared firewall – Lowest common denominator – less fine grained control Easily copied machine images – who else has your server? Shared storage – is customer segmentation secure against attack? Virtual Servers

14. Data Security Challenges in the Cloud Encryption rarely used: - Who can see your information? Storage volumes and servers are mobile: - Where is your data? Has it moved? Rogue servers might access data: - Who is attaching to your storage? Audit and alerting modules lacking: - What happened when you weren’t looking? Encryption keys tied to vendor: - Are you locked into a single security solution? Who has access to your keys? Storage volumes contain residual data: - Are your storage devices recycled securely? Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… Name: John Doe SSN: 425-79-0053 Visa #: 4456-8732… 11 Classification 2/7/2011

15. Physical layer Could retool New Shared Storage systems Designed to segment multiple hostile tenants Dynamic firewall policies Different and flexible for every customer Strongly segmented networks Hardened switches that can’t be hacked from the inside

16. The security arms race Existing infrastructure hits EOL too early Every customer wants to inspect and audit They have to for their compliance Always someone demanding the latest security feature More frequent swap out cycle Lower ROI Need permission from every customer to make a change Your kit has become part of their security audit You end up stuck in an impossible position where you make less money and still can’t keep the customers happy

17. Logical Layer Customer has responsibility for their data Give them a solution to help them deliver on that Let them segment their data Away from other customers (may be the bad guy) Away from you (don’t inherit a liability) Look for something that runs on top of any hardware You run your own swap out programmes without interference

18. Challenge of Securing Data Datacenter Public Cloud Perimeter Company 1 Company 2 Company 3 Company 4 Company 5 Company n App 1 App 2 App 3 … App 2 App 1 App 3 App 4 App 5 App n Hypervisor Hypervisor Strong perimeter security No shared CPU No shared network No shared storage Weak perimeter security Shared CPU Shared network Shared storage Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers

19. Protection at the OS levelServer & application protection for: PHYSICAL VIRTUAL & PRIVATE CLOUD PUBLIC CLOUD Deep Packet Inspection Firewall Integrity Monitoring Log Inspection Malware Protection IDS / IPS Web App. Protection Application Control

20. Protection at the Data LevelEncryption designed to secure the cloud Cloud Service Provider Enterprise Datacenter or SaaS Offering VM CorporateApp Hypervisor Enterprise Key SharedStorage Cloud SecurityConsole MyEnterprise Data

21. Protection Coverage Data at rest Encrypted while stored Data in motion Encrypted on internal network Encrypted while passing through hypervisor Data in use Data must ultimately be decrypted at the point of use SecureCloud ensures that happens in a secure way

22. Challenges for Public Cloud:The Private Security Answer Multiple customers on one physical server – potential for attacks via the hypervisor Shared network inside the firewall Doesn’t matter – the edge of my virtual machine is protected Doesn’t matter – treat the LAN as public Internet Shared Storage Shared Firewall Shared firewall – Lowest common denominator – less fine grained control Shared storage – is customer segmentation secure against attack? Easily copied machine images – who else has your server? Virtual Servers Doesn’t matter – They can start my server but only I can unlock my data Doesn’t matter – My data is encrypted Doesn’t matter – treat the LAN as public

23. Thank You