Securing the Private Cloud
Franz Kasparec PMP MBCI CISSP
EMC vSpecialist Sales – Business Development Manager EMEA East
The Aspects of Security
Confidentiality
• My data is kept secret.
Integrity
• My data is not be compromised.
Availability
• My data is there when I need it.
PLUS: Compliance
• Regulations must be followed as part of due care. E.g.
• Preventive/detective controls
• No cross-border data transfer
• ISO 27001 et al. certifications
Where Is the Enemy?
Outside?
Do computing clouds have
a perimeter to secure?
Inside?
Or do we need to be
information-centric?
What Else Does Make Cloud Special?
• Consolidation of IT
infrastructure on top of
a new software layer
below the OS layer
• A vantage security
enforcement point
Virtual host
Apps
Guest OS
Virt. FW
Virt. switch
Hypervisor
Hardware IT-as-a-
Service
• Separation of duties is
challenged
• Need to retrain and
reorient ops teams
• Opportunity to improve
security operations
5
Network
admin
Security
admin
Host
admin
Virtualization
administrator
• Visibility into
external service
providers
• Secure multi-
tenancy concerns
• Trustworthiness
RSA Approach to Securing the Cloud
1. Build security into the VCE Stack
2. Deliver integrated solutions tailored to cloud security needs
a) RSA Solution for Virtual Desktop
b) RSA Solution for Cloud Security and Compliance
3. Partner with VMware and Cloud Technology leaders to provide better security
– VMware: vShield’s new security architecture
– Intel: Hardware Chain of Trust (Technology preview)
– EMC: Content-aware cloud storage
A Holistic Approach to Cloud Security
BUSINESS CONTEXT
Define Policy
Map to Controls
Report On Risk
Assess
Compliance
Monitor | Audit | Report
Add Context
Correlate
Manage Monitor
Detect Enforce
IDENTITIES INFRASTRUCTURE INFORMATION
Manage Governance, Risk + Compliance
RSA Archer eGRC Suite RSA enVision
Authentication Access /
Provision
Fraud
Prevention
SecurID Access
Manager
Fraud
Action
Adaptive
Auth
Transaction
Monitoring
Identity
Verification
Federated
Identity Mgr
eFraud
Network
Data Loss
Prevention Encryption &
Tokenization
DLP
Cisco
IronPort
Network
Partners
Endpoint
Partners
RKM App
RKM DC
BSAFE
Microsoft
RMS
Network Security Feeds
Endpoint Security Feeds
Infrastructure Feeds
Ionix Config Mgmt
Tokenization
MENU
Cycle of Compliance: RSA Solution for Cloud Security and Compliance
Discover VMware infrastructure
Define security policy
Remediation of non-compliant controls
RSA Archer eGRC
Manage security incidents that affect
compliance
Manual and automated
configuration assessment
Over 100 VMware-specific
controls added to Archer
library, mapped to
regulations/standards
Solution component
automatically assesses
VMware configuration and
updates Archer
RSA enVision collects,
analyzes and feeds security
incidents from RSA, VMware
and ecosystem products to
inform Archer dashboards
RSA Securbook
RSA Archer for Virtualization and Cloud Coming to Vblock in 2011
RSA Archer for orchestrating security of the Vblock
vSphere
Storage
Server blades
Networking
Virtual Machines
RSA Archer eGRC
Available
now
2011
RSA SecurID
Strong authentication – need 2 of 3:
• Something you know
• Password, PIN, …
• Something you are
• Biometrics
• Something you have
• Security token (card, FOB, …)
Simplifying Compliance
Compliance reports
for regulations and
internal policy
Auditing Reporting
Enhancing Security
Real-time security
alerting and analysis
Forensics Alert /
correlation
Optimizing IT & Network Operations
IT monitoring across
the infrastructure
Visibility Network
baseline
Purpose-built
database (IPDB) RSA enVision Log Management Platform
RSA enVision
11
Servers Storage Applications /
Databases
Security
Devices
Network
Devices
RSA Data Loss Prevention Suite
Third Party Enforcement Controls
Policy
Management
System
Administration
Reporting &
Dashboard
Incident
Workflow RSA DLP
Enterprise Manager
Discover sensitive data
in content repositories
Enforce controls on
sensitive data
DLP Datacenter
Monitor all traffic for
sensitive data
Enforce controls on
sensitive transmissions
DLP Network
Discover sensitive data
and monitor user actions
Enforce controls on both
data and user actions
DLP Endpoint
Policies Incidents
RSA/VMware/Intel Vision: Verifying the Chain of Trust to control VM in the Cloud
ADML
apps
Cloud compliance dashboard
Archer
apps
Data Feed
Manager
VMware
Hardening
Guidelines
RSA Archer
RSA
Data Loss
Prevention
DFM
Integration
VMware
vCenter Server VMware ESXi
Intel Westmere
processor with Intel
Trusted Execution
Technology
RSA
enVision
RSA
ADML
Advanced Data
Management
Layer
Proof of Concept for Measuring and Monitoring Cloud Infrastructure Security at RSA Conference 2010
13
Cloud provider compliance dashboard
Security
Offering
Hardening
Guidelines
Tuned for
PCI
Trusted HW
from Intel
Dedicated
Bronze
Silver
Gold
Platinum
RSA Cloud Trust Authority (Beta 2H2011)
Set of Cloud based Services designed to facilitate secure and compliant relationships between enterprises and multiple cloud providers
Enables visibility and control of Identities, Infrastructure and Information to foster trust for organisations to adopt Cloud based services
What’s new ?
• Identity services (VMware) provide end user access and provisioning, federation and SSO
• Compliance Profiling Service, view trust profiles against CSA recommendations
• EMC Cloud Advisory Service with Cloud Optimizer to evaluate workloads for suitability for Cloud adoption
Top Related