RSA Approach for Securing the Cloud
description
Transcript of RSA Approach for Securing the Cloud
RSA Approach for Securing the Cloud
Bernard MontelDirecteur Technique RSA FranceJuillet 2010
2
Security is at the center of EMC’s private cloud strategy
Trusted
Control
Reliable
Secure
Flexible
Dynamic
On-demand
Efficient
PrivateCloud
CloudComputing
Virtualized Data Center
Security
VirtualizationInformation
Federation
Internal cloud External cloud
3
The Journey to the Cloud and its Security Implications
• Introduce new platform and management components in IT ecosystem
Virtualize non critical
systems
• Dissociate application from IT physical infrastructure
Virtualize mission critical
applications
• Make IT available as a service• Convergence of IT admin
roles (storage, network, system, V.I.)
Create internal clouds
• Externalize IT physical infrastructure
Expand to external clouds
New attack surfaces needs to be locked down
Security policies need to centered on identity and information, not infrastructure
Compliance and security need visibility into the virtual infrastructure
Need new perimeters enforced within the virtual infrastructure aligned with policies
Security management is converging with Virtual infrastructure amanagement
Need evidence of compliance from cloud providers
Need to federate identity and policies across clouds
Need multi-tenancy and isolation built in the cloud infrastructure
Information in physical infrastructure needs to be isolated from service providers admins
Journey to the Cloud Security Journey
4
Cloud’s Emerging Security Challenges
Defining Trusted Zones
Surpassing Physical Infrastructure Security
Source: Live EMC Forum pole conducted in 5 cities across N. America, 10/09
“Yes, in all cases”
24%“In some cases,
but there are gaps”
43%“No, security is brought in after
the fact”
22%“The business moves ahead
without security”
11%
QuestionDoes your IT security address the risks associated
with virtualization and private cloud before they are implemented?
Why is this bad?Restricted potential value
Increased potential for data breaches
QuestionDoes your IT security address the risks associated
with virtualization and private cloud before they are implemented?
5
Internal Employees
Adoption of Cloud Computing is Expanding the Enterprise Attack Surface
BusinessAnalytics
EnterpriseApplications
Replica BackupDisk
Backup Tape
SharePointeRoom, etc.
File Server
DiskArrays
ProductionDatabase
Privileged UsersContractors Privileged Users Privileged Users
Partner Entry Points
Channels
Customers
Partner Entry Points
Partners
Channels
Remote Employees
Channels
VPN
Apps/DB StorageFS/CMSNetworkEndpoint
IP Sent to non trusted user Stolen IP App, DB or Encryption
Key Hack Fraud Stolen Credentials
Endpoint theft/loss
Network LeakEmail-IM-HTTP-
FTP-etc.
PrivilegedUser Breach
InappropriateAccess
Privileged UsersTapes lost or stolen
Data LeakVia USB/Print
Public Infrastructure Access Hack
UnintentionalDistribution
(Semi) Trusted User Misuse
Discarded disk exploited
Attacks are Now Targeting the Extended Enterprise
7
60% of Fortune 500 contaminated by a Trojan over a one month period (August 2009)
Public clouds increase corporations’ attack surface by
exposing critical corporate applications to attackers
• Trojan attacks targeted at stealing login names and passwords are on the rise
• Corporate espionage is expanding driving attackers
interest beyond financial institutions
Source: RSA Anti-Fraud Command Center
Physical Infrastructure Physical Infrastructure
APP
OS
APP
OS
Traditional Computing: The Network Security Perimeter is Aligned with Policy Boundaries
8
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
Enterprise #1 Enterprise #2
Attackers
IdentityInfor-
mationInfor-
mationIdentity
Physical Infrastructure
APP
OS
APP
OS
Physical Infrastructure
Private Clouds demand a Policy-aware “Trusted Zone” for Data, VM and Identities
9
Tenant #1
Physical Infrastructure
Tenant #2Cloud Provider
Attackers
APP
OS
APP
OS
APP
OS
APP
OSVirtual
InfrastructureAPP
OS
APP
OS
Virtual Infrastructure
Identity
Information Information
Identity
10
Cloud’s Emerging Security Challenges
Defining Trusted Zones
Surpassing Physical Infrastructure Security
Physical Infrastructure
Trusted Zones Key Capabilities
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Isolate information from cloud providers’ employees
Isolate information
between tenants
Isolate infrastructure
from Trojans and cybercriminals
Segregate and control user
access
Control and isolate VM in
the virtual infrastructure
Federate identities
with public clouds
Identity federation
Virtual network security
Access Mgmt
Cybercrime intelligence
Strong authentication
Data loss prevention
Encryption & key mgmt
Tokenization
Enable end to end view of security events and compliance across infrastructures
Security Info. & Event Mgmt GRC
Physical Infrastructure
Creating “Trusted Zones” for cloud applications
12
Protect against cybercriminals
– Use cybercrime intelligence
– Implement strong authenticationEnforce trust policies
– VM-level:• Group VMs into trusted zones• Control VM provisioning policies
– Data level• Avoid data leakage between tenants• Control data in the cloud provider infrastructure
– Identity level: Manage user access within a trusted zone and across trusted zones
Managing policy compliance across physical, virtual and cloud infrastructures
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Dark CloudDark Cloud
StolenFiles
Repository
Hacker ForumDiscussion
BotnetHerders
MalwareInfection Point
TrojanMothership
StolenCredentialsDatabase
eFraudNetwork
Corp 1
Corp 2
Corp 3Corp 4
Corp 5
Corp 6
Corp 7
Corporate
Provide Cybercrime Intelligence and Strong Authentication Based on Feeds from the Dark Cloud
First level of defense: Cybercrime intelligenceSecond level of defense: Strong authentication
Physical Infrastructure
Creating “Trusted Zones”
14
Protect against cybercriminals
– Use cybercrime intelligence
– Implement strong authenticationEnforce trust policies
– VM-level:• Group VMs into trusted zones• Control VM provisioning policies
– Data level• Avoid data leakage between tenants• Control data in the cloud provider infrastructure
– Identity level: Manage user access within a trusted zone and across trusted zones
Managing policy compliance across physical, virtual and cloud infrastructures
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Virtualization Enables More Effective Security by Pushing Enforcement Down the Stack
Pushing information security enforcement in the virtualization and cloud infrastructure ensures consistency, simplifies security management and enables customers to surpass the levels of security possible in today’s physical infrastructures
Physical infrastructure
APP
OS
APP
OS
APP
OS
APP
OS
vApp and VM layer
Virtual and cloudinfrastructure
Today most security is enforced by the OS and application stack making it ineffective, inconsistent and complex
VMware vShield Zones and RSA DLP: Building a Content-Aware Trusted Zone
16
OverviewVMware vShield Zones provides isolation between groups of VMs in the virtual infrastructureLeverages the capabilities of vShield Zones to deploy DLP as a virtual application monitoring data traversing virtual networksUses a centrally managed policies and enforcement controls to prevent data loss in the virtual datacenter
Customer BenefitsPervasive protectionPersistent protectionImproved scalability
Physical Infrastructure
VMware VSphere
VMware vShield zones
DLP DLP DLP DLP
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
Virtual Infrastructure
Internal storage Cloud
Scan data
Proof of Concept: RSA Data Loss Prevention with EMC Atmos
Concept demonstrated at EMC World 2009Atmos metadata update based on DLP policySensitive data never leaves customer sites or is only sent to trusted external cloud sitesBuild content-aware private storage clouds
External Storage Cloud
Client App
EMC Atmos Online
EMC Atmos
DLP
Update metadata
Federate data securely
Store data
Physical Infrastructure
Creating “Trusted Zones”
18
Protect against cybercriminals
– Use cybercrime intelligence
– Implement strong authenticationEnforce trust policies
– VM-level:• Group VMs into trusted zones• Control VM provisioning policies
– Data level• Avoid data leakage between tenants• Control data in the cloud provider infrastructure
– Identity level: Manage user access within a trusted zone and across trusted zones
Managing policy compliance across physical, virtual and cloud infrastructures
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
Monitoring and Managing Corporate Policy Compliance
19
Across virtual, physical, internal and external infrastructures
Tenant #2
APP
OS
APP
OS
Virtual Infrastructure
Physical Infrastructure
Cloud Provider
APP
OS
APP
OS
Virtual Infrastructure
Tenant #1
EMCIONIX
VMwarevCenter
Virtual infrastructure management
GRC
End-to-end compliance
reporting
Security configuration and vulnerability management
for physical and virtual infrastructures
RSAenVision
End-to-end security event management
20
Cloud’s Emerging Security Challenges
Defining Trusted Zones
Surpassing Physical Infrastructure Security
Surpassing Physical Security in Action: Virtual Desktop
21
RSA SecurID strong authentication for user access
to virtual desktops
RSA Data Loss Prevention Endpoint prevents data loss
at the virtual desktop
RSA enVision event monitoring and a centralized dashboard
RSA SecurID strong authentication for
administrative access to ESX
EMC IONIX ensures a secure configuration and patch level for all virtual
desktops
Hosted virtual desktops are isolated from the dark cloud contamination by the enterprise perimeter
VMware View Manager
RSA is Uniquely Positioned to be the Leader in Securing the Cloud
Hosted by RSA, e.g., Adaptive Authentication, eFraudNetwork
Delivered by MSSP or other cloud providers
Delivering RSA products as
cloud services
Securing the virtual datacenterFederation between internal and external cloudsSecurity-aware cloud infrastructures
Securing the private cloud Strong authentication
Access managementIdentity protectionCybercrime monitoring
Securing the public
cloud
Thank you!