Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

Paul Sathis

Director, Cloud Computing, Intel Americas

Intel Corporation

Twitter: @paulinthehouse

John Rowell

Chief Technology Officer

OpSource

Twitter: @johnrowell

Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.

Legal DisclaimersIntel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.

Intel® TXT requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security. In addition, Intel TXT requires that the original equipment manufacturer provides TPM functionality, which requires a TPM- supported BIOS. TPM functionality must be initialized and may not be available in all countries.

Intel ® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard- instructions-aes-ni/

Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor series, not across different processor sequences. See http://www.intel.com/products/processor_number for details. Intel products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications. All dates and products specified are for planning purposes only and are subject to change without notice

On Slide 4, the sources are as follows:

1)Source: http://www.theregister.co.uk/2009/06/08/webhost_attack/

2)Source: http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240

On Slide 10, the sources are as follows:

3)World-record virtualization performance claim based on all published VMmark* 1.x results on http://www.ideasinternational.com/Benchmark-Top-Ten/VMmark-1-x. Top-ranked Fujitsu PRIMERGY* RX600 S5 uses four Intel® Xeon® processor X7560 (24M cache, 2.26GHz, 6.40GT/s Intel QPI). Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.

4)No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security

5)Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® Xeon® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption- standard-instructions-aes-ni/

http://www.intel.com/products/processor_number

http://www.theregister.co.uk/2009/06/08/webhost_attack/

http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240


VOTE

•

With regards to cloud computing, I am most concerned about the following issue: −Compliance

−Multi-tenancy

−Audit

−Data Protection

−All of the above


Security in the Cloud

Cloud & Virtualization Break Many Traditional Perimeter-oriented Security Techniques

New security requirements for cloud & virtualization:

•

Abstraction of physical hardware

•

Multi-tenancy movement implicitly require audit & security

“Webhost hack wipes out data for 100,000 sites Vaserv suspects zero-day

virtualization vuln” —The Register1

“IT ops, security pros at odds over virtualization risks

IT pros upbeat about virtualization, whereas security experts harbor

doubts about the security role the hypervisor can play” —IDG News Service2

Virtualization Benefits

Security Needs

vs.


Cloud 2015 Vision

AUTOMATEDAUTOMATED

IT can focus

more on innovation and

less on management

FEDERATEDFEDERATED

Share data

securely across public and

private clouds

Desktops Laptops EmbeddedSmartphonesNetbooks Personal Devices Smart TVs

CLIENT AWARECLIENT AWAREOptimizing services

based on device capability

Open & Interoperable Solutions Essential


From Vision to Action

Helping Cloud Service Providers on Path to Cloud 2015

6


Compute

Network

Intel® Xeon® processors E7 & 7500 Series with Hardware-based Security

10Gb Ethernet with built-in support for

unified fabric

StorageOpen platforms and

performance breakthroughs (SSDs)

Intel Platform Technologies Intelligence Built-in for Cloud Computing Demands

Result:Helps Provider Meet Service Level Agreements

Performance for Workload agilitySimpler & Lower Cost


Cloud Security Services Enhanced by Intel-based Technology

Encrypt in the CloudUse encryption to protect data

Trust the CloudEstablish a trusted foundation

Audit the CloudBuild higher assurance into audit

Connect to the CloudEstablish / verify identities & federate


Intel-based Technology Establishing Foundation for More Secure Clouds

EncryptEncryptIntelIntel®® AESAES--NINI

ComplyComplyIntelIntel®® TXTTXT

VM 2VM 1 VM 1

VMM??

IsolateIsolateIntelIntel®® VT & IntelVT & Intel®® TXTTXT

Intel® TXT

VMM

VM 2VM 1

9


Great Collaboration with OpSourceCloud Services Powered by Intel® Xeon® processor 7500 & E7 Series

−

Intel Xeon processor E7 series delivers world-record virtualization performance while delivering higher VM densities than any other industry- standard server in the market today3

State of the Art Hardware-based Security Technology−

Working with Intel on hardware-based security such as Intel® Trusted Execution Technology4 that can be used to verify the trustworthiness of a platform

Foundation for High Reliability−

Intel Xeon processor E7 series delivers extraordinary server reliability with automatic detection and correction of errors and interconnect error detection and recovery

−

Helps Opsource deliver on high-availability and cloud performance claims

With Intel technology, OpSource can enhance security, meet demanding customer requirements

& drive competitive prices

Slide 11 © 2011 OpSource, Inc. All rights reserved.

Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing

9/14/2011John Rowell, CTO


OpSource: Enterprise Cloud and Managed Hosting

•

OpSource provides Enterprise Cloud and Managed Hosting Services

•

Solutions for Enterprise, SaaS, Service

Providers (Telecom and Cloud Platforms)

•

A Dimension Data Company

•

Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore

•

Unmatched Industry Experience–

SaaS

Hosting and Scaling Software-Oriented Architectures (SOA)

–

High Performance, Secure Cloud Computing


Polls Show Security as Top Concern about Public Cloud

•

64% of IT Bosses express concerns about whether corporate data would be secure inside cloud service providers' datacenters –

Forrester Research

•

56% of CFOs had not invested in public cloud services because of

fears over the security of sensitive data -

SunGard Availability Services Poll

Gartner 2009 Poll


Security is a Challenge for Utility Cloud Platforms


Defense-in-Depth Security Applied to the Cloud

Defense in depth is a best practice in which multiple layers of security controls (defense) are implemented to provide redundancy in the event a security control fails or a vulnerability is exploited.

Layers of DefenseIDS / IPSSegmentation- VLAN- Firewall

Authentication and Access ControlData EncryptionIncident ResponsePhysical Data Center SecurityMonitoring and Tuning


Defense #1: Intrusion Detection System

•

Fully-managed Intrusion Detection System (IDS) utilizing signature, protocol and anomaly based inspection methods


Defense #2: Network Segmentation Provides Security Controls

•

Customer Controlled Network Configuration – configurable Layer 2 VLANs:

–

Provide segmentation of public and private IP space

–

NAT and VIP functions expose only those IP addresses you want made public

•

Customizable ACL-based firewall rules allow control of access into each network VLAN:

–

Build multi-tier network architectures to separate data tiers from front-end web tiers to provide an additional layer of firewall rules to protect data


Defense #3: Authentication and Access Controls

•

VPN access for administration of all servers

•

Unique username and password for multiple administrators

•

Role-based permissions allow cloud administrators to create sub-admins

to manage only certain resources, such as servers, storage or networks

•

Audit logs and reporting


Defense #3 (con’t): Authentication and Access Controls

•

Intel®

TXT establishes a “hardware root of trust”

that can be used to verify the trustworthiness of a platform4

•

Applications for cloud computing• Base migration and workload placement decisions on the trustworthiness of the infrastructure• Control cloud workloads


Defense #4: Data Reliability & Security

•

The Intel®

Xeon®

processor E7 family offers an extensive and robust set of RAS features in silicon to provide error detection, correction, containment, and recovery in all processors, memory,

and I/O data paths

•

VPN Access

•

Data stored with 256-bit encryption at rest and 128-bit SSL encryption while

in transit

•

Working with Intel on utilizing Intel®

Advanced Encryption Standard -

New Instructions to reduce the performance penalties usually experienced with pervasive encryption5


Defense #5: 24x7 Incident Response

•

Incident Response Teams handle reports of security incidents. An

OSIRT will escalate the incident to law enforcement and/or executive management as prescribed in security policies

24 x 7 x 365


Defense #6: Datacenters – The Physical Security of the Cloud

•

Meet or Exceed Tier III Standards (highest commercially available datacenter rating)

•

All areas within facility are monitored with CCTV and onsite guards 24x7x365 surveillance and audit logs

•

Multiple layers of biometric two-factor authentication restricts access


Defense #7: Monitoring and Tuning

•

Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing industry leading Arbor Networks Peakflow

•

Compares real-time network traffic against baseline definitions of normal network behavior, immediately flagging all anomalies due to security hazards such as:

–

Denial of Service (DoS) attacks

–

Distributed Denial of Service (DDoS) attacks

–

Worms or botnets


OpSource’s Approach to Ensuring Security

•

Defense in depth is a best practice with multiple layers of security controls

–

Cisco hardware-based networking

–

As part of best practice, intelligent servers are needed to secure clouds

–

Intel technology helps provide foundation for Trust, Security, & Compliance with Intel®

TXT and Intel®

AES-NI

–

Increases confidence that your data in the cloud is safe and secure

Layers of DefenseIDS / IPSSegmentation- VLAN- Firewall

Authentication and Access ControlData EncryptionIncident ResponsePhysical Data Center SecurityMonitoring and Tuning


Setup a Cloud Network to Secure Your Environment


Setup and Manage Cloud Servers

Network: Cisco-based firewall, VLAN, VPN and load balancing included

User Management: Role-based user controls; activity and usage reporting

Support: 24x7 phone support included; Managed Services

Flexibility: 1-8 CPU, 1-64GB RAM, 50GB-2.5TB local disk

Hybrid: Ability to deploy dedicated and cloud servers


Compliance Enhances Trust

•

Yearly certification and compliance audits to ensure security

HIPAABusiness Associate


VOTE

•

Learning about how OpSource secures their cloud solution, including the use of Intel Technology has −Significantly increased my level of interest in OpSource’s Cloud

Solutions

−Slightly increased my level of interest in OpSource’s Cloud Solutions

−Has not changed my level of interest in OpSource’s Cloud Solutions

Continue Conversation

Paul Sathis

Director, Cloud Computing, Intel Americas

Intel Corporation

Twitter: @paulinthehouse

John RowellChief Technology OfficerOpSource Twitter: @johnrowell

Date post:	01-Nov-2014
Category:	Technology
Upload:	opsource
View:	1,175 times
Download:	3 times