Private cloud day session 5 a solution for private cloud security


Published on

More info on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Private cloud day session 5 a solution for private cloud security

  1. 1. AnatomyPhysiologyPharmacologyBiochemistryNeurosciencePathologyMicrobiology
  2. 2. Key Security Differences in Private CloudPrivate Cloud Security PrinciplesPrivate Cloud Security ChallengesPrivate Cloud Reference ModelPrivate Cloud Security Model
  3. 3. Cloud Security Threats andCountermeasures at a Glance
  4. 4. Multitenancy in private • Multiple orgs and divisions VM VM cloud VM VM Requires • Authentication logical • Authorization VM VM VM separation • Access controls
  5. 5. Mobile Security Virtualization of Security ControlsWorkloads Tools • Integrate with the private cloud fabric Automated Playing • Provide separate configuration interfaces Mobility catch-up • Provide programmable elastic, on-demand services Unlinked from Px • Support policies governing logical attributes • Enable trust zones separating multiple tenants in a dynamic environment
  6. 6. Apply generic security best Principles provide general rules and guidelines to support the evolution of a practicessecure cloud infrastructure. They are enduring, seldom amended, and informand support the way you secure the private cloud. These principles form thebasis on which a secure cloud infrastructure is planned, designed and created Security is a Enforce Isolation wrapper All data Attackers are Use strong Automate securityAuthN and AuthZ locations cryptography operations accessibleMinimize attack Limit “routing” Audit extensively Strong GRC service
  7. 7. As a consumer (tenant) of the services offered by a private cloud in my enterprise, I require that application data is secure, no one else can access it, andthat the data is safe if something untoward occurs Prevent leakage Also applies to between tenants administrators Role Based AAA Access Control
  8. 8. As the architect, designer, or operator of a private cloud Who has authority to: solution, how do I control who has access to my private cloud services and how do I monitor Demand Provision Use Releaseand audit the use of my services?
  9. 9. I am concerned that a rogueapplication, client, or denial of service (DoS) attack might destabilize the data center by requesting a large amount of resources. How do I reconcile the perception of infinite resources with reality?
  10. 10. As an architect of a private cloud Bring Your Own Device solution, I want to be sure that an appropriate level of security applies Assess device state regardless of client location and regardless of form factor. This Application access control requirement applies to both cloudmanagement and application security. Data on device
  11. 11. • IPv6Driven • Porous borders By: • “Tail Chasing” • Cost/benefit
  12. 12. A Reference Model is:• Abstract• Describes entities and there relationships• Defines and clarifies a problem space• Technology agnostic A Reference Model can be used to: • Create standards for objects in the model • Break down a large problem space • Define concepts and relationships • Define and create roles and responsibilities • Compare different things (software solutions)
  13. 13. Security Security FunctionalityDomains Infrastructure Security Platform Security Software Security Service Delivery Security Management Security Client Security Legal/Compliance
  14. 14. Root Partition Guest Partitions Ring 3 Ring 3 Virtualization Stack Guest Applications VM Worker Processes OS Server Core Kernel Windows Kernel Device Drivers VMBus Ring 0 Ring 0 “Ring “-1” Windows hypervisor Storage NIC CPU
  15. 15. Root Guest Guest VM 1 VM 2 VM 3Partition Partition Partition (Admin)Virtual-ization VM 1 VM 2 Stack Virtualization StackDrivers Hypervisor Drivers Hypervisor Hardware Hardware“The fact is, the absolute last place you want to see drivers is in the hypervisor, not only becausethe added abstraction layer is inevitably a big performance problem, but because hardware anddrivers are by definition buggier than "generic" code that can be tested.” Linus Torvalds,
  16. 16. Data Center’sPhysical Servers Guest OS Data-Center Network
  17. 17.
  18. 18. Free Stuff!