Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | rochester-security-summit |
View: | 1,425 times |
Download: | 0 times |
Copyright 2009 Trend Micro Inc. 0
A Plan To Control and Protect Data in the Private and Public CloudTodd Thiemann • Senior Director, Datacenter Security
Trend Micro
Copyright 2009 Trend Micro Inc.
Why virtualization & cloud matters
Speed and Business Impact
Expertise and Performance
Cost Reduction
1) The Cloud Imperative… If by mid-year you have not developed and begun to execute upon an ambitious and enterprise-wide cloud strategy, then by year-end the odds are good
you'll no longer be a CIO. “Global CIO: The Top 10 CIO Issues For 2010” InformationWeek, 21 December 2009
Copyright 2009 Trend Micro Inc.
Virtualization & Cloud Have Management Attention
Trend Micro Confidential10/12/2010 2
Source: “The 2010 Gartner Scenario: The Current State and Future Directions of the IT Industry”, Gartner 14 June 2010
Copyright 2009 Trend Micro Inc.
Realized Benefits of Cloud ComputingEnterprises Reducing Costs, Increases Agility
Pharmaceutical R&D and The Cloud“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific
collaboration and computations … because they empower many subsets of users.” SearchCIO.com, 30 July 2009
Public Cloud for Backup & StorageUsing public cloud services, GE reduced backup costs by 40% to 60%,
created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009)
Gartner Top 10 Strategic Technologies in 2010“Cloud Computing. Organizations should think about how to approach the cloud in terms of
using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009
Cloud Computing & Security“CISOs and Security Architects: Don't let operations-led projects lower your security profile.
Engage in a discussion of the issues now, not after the fact.” Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009)
Copyright 2009 Trend Micro Inc. 4
Security and privacy were the foremost concerns by far, with a weighted score higher than the next three (performance, immaturity and regulatory compliance) combined.
Gartner (April 2010)
Security: the #1 Cloud Challenge
Classification 10/12/2010
Copyright 2009 Trend Micro Inc.
15% 30% 70%
85%
Phase 1 Consolidation
DC Consolidation
- Non-mission critical base applications
- Standardized hypervisor- Simple VM Management
Public and private cloud
- Multi-hypervisor-Virtualized storage
-Multi-tenancy-Workload Management
-Dedicate or Burst to public
Phase 3 Private > Public Cloud
Mission critical applications&
Endpoint Control
- Performance becomes critical-API and advanced management use
VDI sampling-Enhanced Compliance controls
Servers
Desktops
Phase 2 Expansion & Desktop
“Typical” Customer Virtualization Evolution
Copyright 2009 Trend Micro Inc.
The Evolving DatacenterLowering Costs, Increasing Flexibility
Classification 10/12/2010 6
Physical
Private Cloud
Public Cloud
Virtual
Outsourced•Metered
•Shared Resources•Data Mobility
Consolidation•Cost Center
•Single Hypervisor•Data per App Traditional
Datacenter
Multi-Tennant•Charge Back
•Multi-Hypervisor•Data Sharing
Infrastructure Security and Data Protection must keep up with Cloud Evolution
Copyright 2009 Trend Micro Inc. 7
Phase 1 Security Challenge
Perimeter-only (“Outside-in”) approach together with rapid virtualization have created less secure
application environments
Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace.
“Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010
Copyright 2009 Trend Micro Inc.
Phase I: The virtual datacenter is very dynamic !
8
Hypervisor
Inter-VM attacks PCI Mobility Cloud Computing
New Challenges Require a New Security Architecture
Copyright 2009 Trend Micro Inc.
Virtual Machines Need Specialized Protection
Same threats in virtualized servers as physical.
New challenges:1. Instand-on/Dormant VMs2. Resource contention3. VM Sprawl4. Inter-VM traffic5. vMotion
9
Copyright 2009 Trend Micro Inc.
Virtualization Security Foundation“Secure the workload”
App3
OS3
VM3
App1
OS1
VM1
Hypervisor
VM & Network Security Integration
Self-secured workloadApp FW, IPS, AV…
Copyright 2009 Trend Micro Inc.
Customers most common Phase I concern:Instant-on or unmanged VMs & Patching
• Determines missing patches and existing vulnerabilities– Operating System– Common desktop applications
• Recommends set of lightweight, fast-to-deploy filters– Virtually patches the vulnerabilities– Zero-Day protection– Reports on attempts to exploit vulnerabilities
• Removes filters as soon as the patch is deployed
Virtual patch endpoints until patch is readyWithout exposing them to exploits
Copyright 2009 Trend Micro Inc.
“Inside-out” Protection Model for Physical, Virtual and Cloud Computing
“De-Militarized Zone” (DMZ)
Mission Critical Servers Business Servers
FirewallIPS Firewall
NIPSIPS
Firewall
File IntegrityMonitoring
Log Inspection
IDS / IPS
Trend Micro Deep Security Provides A Secure Container for Applications and Data
Copyright 2009 Trend Micro Inc.
15% 30% 70%
85%
Stage 1 Consolidation
DC Consolidation
- Non-mission critical base applications
- Standardized hypervisor- Simple VM Management
Stage 2 Expansion & Desktop
Mission critical applications&
Endpoint Control
- Performance becomes critical-API and advanced management use
VDI sampling-Enhanced Compliance controls
Servers
Desktops
Hybrid and selected public cloud
- Multi-hypervisor-Virtualized storage
-Workload Management-Burst to public
Stage 3 Private > Public Cloud
GET TECHIE
“Typical” Customer Virtualization Evolution
Copyright 2009 Trend Micro Inc. 14
Phase 2: Security Challenge
”Virtually unaware” traditional security architectures eliminate the benefits of VDI and
virtualized mission-critical applications
Copyright 2009 Trend Micro Inc.
Phase II Server Performance
15
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Security VMFirewallIDS / IPSAnti-VirusIntegrity
Monitoring
• Protect the VM by inspection of virtual components• Unprecedented security for the app & data inside the VM• Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.
Copyright 2009 Trend Micro Inc.
Phase II: Securing virtual desktops (VDI)
• Malware risk potential: Identical to physical desktops– Same operating systems– Same software– Same vulnerabilities– Same user activities
=> Same risk of exposing corporate and sensitive data
• New challenges, unique to VDI:– Identify endpoints virtualization status– Manage resource contention
• CPU• Storage IOPs• Network
Copyright 2009 Trend Micro Inc.
• The “9-AM problem”– Multiple users log in and download updates at the same time
• “AV-Storms”, Scheduled scans– Adds significant load to the endpoint– Multiplied by number of VMs
Cumulative system loadExisting Endpoint Security Induces
Resource Contention and LimitsDesktop Virtualization Benefits
Phase II: IT Environment ChangesChallenge: Resource Contention with VDI
Copyright 2009 Trend Micro Inc.
Phase II Security has to have VDI-Intelligence
• Detects whether endpoints are physical or virtual– With VMware View– With Citrix XenDesktop
• Serialize updates and scans per VDI-host– Controls the number of concurrent scans and updates per VDI host– Maintains availability and performance of the VDI host– Faster than concurrent approach
• Leverages Base-Images to further shorten scan times– Pre-scans and white-lists VDI base-images– Prevents duplicate scanning of unchanged files on a VDI host– Further reduces impact on the VDI host
• Can be done agentlessly as well
Copyright 2009 Trend Micro Inc.
Summary of Phase II Solutions
• Light and lean agents when deep visibility is required– Using cloud-client architecture
• Agent-less option for application & server performance– Using virtualization APIs
• Architecture optimizes performance across entire infrastructure– Processes are “virtually-aware” across CPU, network,
and storage
Trend Micro Confidential10/12/2010 19
Copyright 2009 Trend Micro Inc.
15% 30% 70%
85%
Phase 1 Consolidation
DC Consolidation
- Non-mission critical base applications
- Standardized hypervisor- Simple VM Management
Phase 2 Expansion & Desktop
Mission critical applications&
Endpoint Control
- Performance becomes critical-API and advanced management use
VDI sampling-Enhanced Compliance controls
Servers
Desktops
Hybrid and selected public cloud
- Multi-hypervisor-Virtualized storage
-Workload Management-Burst to public
Phase 3 Private > Public Cloud
GET TECHIE
“Typical” Customer Virtualization Evolution
Copyright 2009 Trend Micro Inc.
Phase III: Virtualized Storage and Multi-tenancy Creates Data Protection Nightmares
Classification 10/12/2010 21
Perimeter
Public and Private CloudDatacenter
Strong perimeter securityNo shared CPU
No shared networkNo shared storage
Weak perimeter securityShared CPU
Shared networkShared storage
Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers
Hypervisor
Com
pany 1
App 2
App 1
App 3
App 1
App 2
App 3
App 4
App 5
App n
Com
pany 2
Com
pany 3
Com
pany 4
Com
pany 5
Com
pany n
Hypervisor
…
Copyright 2009 Trend Micro Inc. 22
Phase 3: Security Challenge
How do I protect data in a virtualized and multi-tenant storage environment (private, hybrid, or
public cloud) ?
Copyright 2009 Trend Micro Inc.
Who Has Control?
Servers Virtualization & Private Cloud
Public CloudPaaS
Public CloudIaaS
End-User (Enterprise) Service Provider
Public CloudSaaS
23Trend Micro Confidential 10/12/2010
Copyright 2009 Trend Micro Inc.
Amazon Web Services™ Customer Agreement
24
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
The cloud customer has responsibility for security and needs to plan for protection.
Trend Micro Confidential10/12/2010
Copyright 2009 Trend Micro Inc.
SecureCloud: Enterprise Controlled Data Protection for the Cloud
25
Patent pending Trend Micro technology enables enterprises to retain control of data in the cloud
Trend Micro Confidential10/12/2010 25
Copyright 2009 Trend Micro Inc. 26
All Phases: Architecture Security Challenge
How do I bring it all together in a manageable way across virtualized, private and public cloud
environments?
Copyright 2009 Trend Micro Inc.
A New Security Architecture For A New EraAll environments should be considered un-trusted
Users access app
Image ensures data is always encrypted
and managed
Host defends itself from attack
Encrypted Data
Encryption keys controlled by you
DC1, LAN 1
Cloud 2, LAN 1
Data
Cloud 1, LAN 2
DC2, LAN 2
Data
Public CloudDatacenter
Data
Trend Micro Confidential10/12/2010 27
Benefits•Facilitates movement between datacenter & cloud•Delivers security compliance through encryption•Enables portability between service providers•Ensures private data in public cloud
Copyright 2009 Trend Micro Inc.
Your data center is changing, have your security strategies changed accordingly?
1. Improve Server Defenses (supplement with IDS/IPS, FW, Application security)- Implement full audit and monitoring of virtualized environments
2. Leverage Vmware VMsafe-based and vShield Endpoint-based solutions for higher levels of security with simpler operations
3. Add virtualization-aware agents where needed
4. Ensure security solution is future-proofed for the private, public and hybrid cloud
Classification 10/12/2010 28
Security Best Practices Recap
Copyright 2009 Trend Micro Inc.
Thank You
Copyright 2009 Trend Micro Inc.
Cloud Computing Compromises
Salesforce.com security breached. Repeatedly hacked (Washington Post)
Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service attack (The Register)
Oct 2009:
Google Gmail hacked by attacks originating in China (Financial Times)
Jan 2010:
Oct 2007:
30
Enterprise security challenges continue in the cloud