A Plan to Control and Protect Data in the Private and Public Cloud

Copyright 2009 Trend Micro Inc. 0

A Plan To Control and Protect Data in the Private and Public CloudTodd Thiemann • Senior Director, Datacenter Security

Trend Micro

Copyright 2009 Trend Micro Inc.

Why virtualization & cloud matters

Speed and Business Impact

Expertise and Performance

Cost Reduction

1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious and enterprise-wide cloud strategy, then by year-end the odds are good

you'll no longer be a CIO. “Global CIO: The Top 10 CIO Issues For 2010” InformationWeek, 21 December 2009


Virtualization & Cloud Have Management Attention

Trend Micro Confidential10/12/2010 2

Source: “The 2010 Gartner Scenario: The Current State and Future Directions of the IT Industry”, Gartner 14 June 2010


Realized Benefits of Cloud ComputingEnterprises Reducing Costs, Increases Agility

Pharmaceutical R&D and The Cloud“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific

collaboration and computations … because they empower many subsets of users.” SearchCIO.com, 30 July 2009

Public Cloud for Backup & StorageUsing public cloud services, GE reduced backup costs by 40% to 60%,

created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009)

Gartner Top 10 Strategic Technologies in 2010“Cloud Computing. Organizations should think about how to approach the cloud in terms of

using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009

Cloud Computing & Security“CISOs and Security Architects: Don't let operations-led projects lower your security profile.

Engage in a discussion of the issues now, not after the fact.” Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009)


Security and privacy were the foremost concerns by far, with a weighted score higher than the next three (performance, immaturity and regulatory compliance) combined.

Gartner (April 2010)

Security: the #1 Cloud Challenge

Classification 10/12/2010


15% 30% 70%

85%

Phase 1 Consolidation

DC Consolidation

- Non-mission critical base applications

- Standardized hypervisor- Simple VM Management

Public and private cloud

- Multi-hypervisor-Virtualized storage

-Multi-tenancy-Workload Management

-Dedicate or Burst to public

Phase 3 Private > Public Cloud

Mission critical applications&

Endpoint Control

- Performance becomes critical-API and advanced management use

VDI sampling-Enhanced Compliance controls

Servers

Desktops

Phase 2 Expansion & Desktop

“Typical” Customer Virtualization Evolution


The Evolving DatacenterLowering Costs, Increasing Flexibility

Classification 10/12/2010 6

Physical

Private Cloud

Public Cloud

Virtual

Outsourced•Metered

•Shared Resources•Data Mobility

Consolidation•Cost Center

•Single Hypervisor•Data per App Traditional

Datacenter

Multi-Tennant•Charge Back

•Multi-Hypervisor•Data Sharing

Infrastructure Security and Data Protection must keep up with Cloud Evolution


Phase 1 Security Challenge

Perimeter-only (“Outside-in”) approach together with rapid virtualization have created less secure

application environments

Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace.

“Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010


Phase I: The virtual datacenter is very dynamic !

8

Hypervisor

Inter-VM attacks PCI Mobility Cloud Computing

New Challenges Require a New Security Architecture


Virtual Machines Need Specialized Protection

Same threats in virtualized servers as physical.

New challenges:1. Instand-on/Dormant VMs2. Resource contention3. VM Sprawl4. Inter-VM traffic5. vMotion

9


Virtualization Security Foundation“Secure the workload”

App3

OS3

VM3

App1

OS1

VM1

Hypervisor

VM & Network Security Integration

Self-secured workloadApp FW, IPS, AV…


Customers most common Phase I concern:Instant-on or unmanged VMs & Patching

• Determines missing patches and existing vulnerabilities– Operating System– Common desktop applications

• Recommends set of lightweight, fast-to-deploy filters– Virtually patches the vulnerabilities– Zero-Day protection– Reports on attempts to exploit vulnerabilities

• Removes filters as soon as the patch is deployed

Virtual patch endpoints until patch is readyWithout exposing them to exploits


“Inside-out” Protection Model for Physical, Virtual and Cloud Computing

“De-Militarized Zone” (DMZ)

Mission Critical Servers Business Servers

FirewallIPS Firewall

NIPSIPS

Firewall

File IntegrityMonitoring

Log Inspection

IDS / IPS

Trend Micro Deep Security Provides A Secure Container for Applications and Data


15% 30% 70%

85%

Stage 1 Consolidation

DC Consolidation



Stage 2 Expansion & Desktop


Endpoint Control



Servers

Desktops

Hybrid and selected public cloud


-Workload Management-Burst to public

Stage 3 Private > Public Cloud

GET TECHIE



Phase 2: Security Challenge

”Virtually unaware” traditional security architectures eliminate the benefits of VDI and

virtualized mission-critical applications


Phase II Server Performance

15

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Security VMFirewallIDS / IPSAnti-VirusIntegrity

Monitoring

• Protect the VM by inspection of virtual components• Unprecedented security for the app & data inside the VM• Complete integration with, and awareness of, vMotion,

Storage VMotion, HA, etc.


Phase II: Securing virtual desktops (VDI)

• Malware risk potential: Identical to physical desktops– Same operating systems– Same software– Same vulnerabilities– Same user activities

=> Same risk of exposing corporate and sensitive data

• New challenges, unique to VDI:– Identify endpoints virtualization status– Manage resource contention

• CPU• Storage IOPs• Network


• The “9-AM problem”– Multiple users log in and download updates at the same time

• “AV-Storms”, Scheduled scans– Adds significant load to the endpoint– Multiplied by number of VMs

Cumulative system loadExisting Endpoint Security Induces

Resource Contention and LimitsDesktop Virtualization Benefits

Phase II: IT Environment ChangesChallenge: Resource Contention with VDI


Phase II Security has to have VDI-Intelligence

• Detects whether endpoints are physical or virtual– With VMware View– With Citrix XenDesktop

• Serialize updates and scans per VDI-host– Controls the number of concurrent scans and updates per VDI host– Maintains availability and performance of the VDI host– Faster than concurrent approach

• Leverages Base-Images to further shorten scan times– Pre-scans and white-lists VDI base-images– Prevents duplicate scanning of unchanged files on a VDI host– Further reduces impact on the VDI host

• Can be done agentlessly as well


Summary of Phase II Solutions

• Light and lean agents when deep visibility is required– Using cloud-client architecture

• Agent-less option for application & server performance– Using virtualization APIs

• Architecture optimizes performance across entire infrastructure– Processes are “virtually-aware” across CPU, network,

and storage



15% 30% 70%

85%

Phase 1 Consolidation

DC Consolidation



Phase 2 Expansion & Desktop


Endpoint Control



Servers

Desktops

Hybrid and selected public cloud


-Workload Management-Burst to public

Phase 3 Private > Public Cloud

GET TECHIE



Phase III: Virtualized Storage and Multi-tenancy Creates Data Protection Nightmares


Perimeter

Public and Private CloudDatacenter

Strong perimeter securityNo shared CPU

No shared networkNo shared storage

Weak perimeter securityShared CPU

Shared networkShared storage

Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers

Hypervisor

Com

pany 1

App 2

App 1

App 3

App 1

App 2

App 3

App 4

App 5

App n

Com

pany 2

Com

pany 3

Com

pany 4

Com

pany 5

Com

pany n

Hypervisor

…


Phase 3: Security Challenge

How do I protect data in a virtualized and multi-tenant storage environment (private, hybrid, or

public cloud) ?


Who Has Control?

Servers Virtualization & Private Cloud

Public CloudPaaS

Public CloudIaaS

End-User (Enterprise) Service Provider

Public CloudSaaS

23Trend Micro Confidential 10/12/2010


Amazon Web Services™ Customer Agreement

24

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.

http://aws.amazon.com/agreement/#7 (3 March 2010)

The cloud customer has responsibility for security and needs to plan for protection.

Trend Micro Confidential10/12/2010


SecureCloud: Enterprise Controlled Data Protection for the Cloud

25

Patent pending Trend Micro technology enables enterprises to retain control of data in the cloud



All Phases: Architecture Security Challenge

How do I bring it all together in a manageable way across virtualized, private and public cloud

environments?


A New Security Architecture For A New EraAll environments should be considered un-trusted

Users access app

Image ensures data is always encrypted

and managed

Host defends itself from attack

Encrypted Data

Encryption keys controlled by you

DC1, LAN 1

Cloud 2, LAN 1

Data

Cloud 1, LAN 2

DC2, LAN 2

Data

Public CloudDatacenter

Data


Benefits•Facilitates movement between datacenter & cloud•Delivers security compliance through encryption•Enables portability between service providers•Ensures private data in public cloud


Your data center is changing, have your security strategies changed accordingly?

1. Improve Server Defenses (supplement with IDS/IPS, FW, Application security)- Implement full audit and monitoring of virtualized environments

2. Leverage Vmware VMsafe-based and vShield Endpoint-based solutions for higher levels of security with simpler operations

3. Add virtualization-aware agents where needed

4. Ensure security solution is future-proofed for the private, public and hybrid cloud


Security Best Practices Recap


Thank You


Cloud Computing Compromises

Salesforce.com security breached. Repeatedly hacked (Washington Post)

Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service attack (The Register)

Oct 2009:

Google Gmail hacked by attacks originating in China (Financial Times)

Jan 2010:

Oct 2007:

30

Enterprise security challenges continue in the cloud

Date post:	18-Nov-2014
Category:	Technology
Upload:	rochester-security-summit
View:	1,425 times
Download:	0 times

A Plan to Control and Protect Data in the Private and Public Cloud

Technology