Date post: | 01-Nov-2014 |
Category: |
Technology |
Upload: | opsource |
View: | 1,175 times |
Download: | 3 times |
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
Paul Sathis
Director, Cloud Computing, Intel Americas
Intel Corporation
Twitter: @paulinthehouse
John Rowell
Chief Technology Officer
OpSource
Twitter: @johnrowell
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Legal DisclaimersIntel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.
Intel® TXT requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security. In addition, Intel TXT requires that the original equipment manufacturer provides TPM functionality, which requires a TPM- supported BIOS. TPM functionality must be initialized and may not be available in all countries.
Intel ® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard- instructions-aes-ni/
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor series, not across different processor sequences. See http://www.intel.com/products/processor_number for details. Intel products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications. All dates and products specified are for planning purposes only and are subject to change without notice
On Slide 4, the sources are as follows:
1)Source: http://www.theregister.co.uk/2009/06/08/webhost_attack/
2)Source: http://www.infoworld.com/d/security-central/it-ops-security-pros-odds-over-virtualization-risks-240
On Slide 10, the sources are as follows:
3)World-record virtualization performance claim based on all published VMmark* 1.x results on http://www.ideasinternational.com/Benchmark-Top-Ten/VMmark-1-x. Top-ranked Fujitsu PRIMERGY* RX600 S5 uses four Intel® Xeon® processor X7560 (24M cache, 2.26GHz, 6.40GT/s Intel QPI). Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations, and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products.
4)No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security
5)Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® Xeon® processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption- standard-instructions-aes-ni/
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
VOTE
•
With regards to cloud computing, I am most concerned about the following issue: −Compliance
−Multi-tenancy
−Audit
−Data Protection
−All of the above
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Security in the Cloud
Cloud & Virtualization Break Many Traditional Perimeter-oriented Security Techniques
New security requirements for cloud & virtualization:
•
Abstraction of physical hardware
•
Multi-tenancy movement implicitly require audit & security
“Webhost hack wipes out data for 100,000 sites Vaserv suspects zero-day
virtualization vuln” —The Register1
“IT ops, security pros at odds over virtualization risks
IT pros upbeat about virtualization, whereas security experts harbor
doubts about the security role the hypervisor can play” —IDG News Service2
Virtualization Benefits
Security Needs
vs.
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Cloud 2015 Vision
AUTOMATEDAUTOMATED
IT can focus
more on innovation and
less on management
FEDERATEDFEDERATED
Share data
securely across public and
private clouds
Desktops Laptops EmbeddedSmartphonesNetbooks Personal Devices Smart TVs
CLIENT AWARECLIENT AWAREOptimizing services
based on device capability
Open & Interoperable Solutions Essential
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
From Vision to Action
Helping Cloud Service Providers on Path to Cloud 2015
6
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Compute
Network
Intel® Xeon® processors E7 & 7500 Series with Hardware-based Security
10Gb Ethernet with built-in support for
unified fabric
StorageOpen platforms and
performance breakthroughs (SSDs)
Intel Platform Technologies Intelligence Built-in for Cloud Computing Demands
Result:Helps Provider Meet Service Level Agreements
Performance for Workload agilitySimpler & Lower Cost
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Cloud Security Services Enhanced by Intel-based Technology
Encrypt in the CloudUse encryption to protect data
Trust the CloudEstablish a trusted foundation
Audit the CloudBuild higher assurance into audit
Connect to the CloudEstablish / verify identities & federate
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Intel-based Technology Establishing Foundation for More Secure Clouds
EncryptEncryptIntelIntel®® AESAES--NINI
ComplyComplyIntelIntel®® TXTTXT
VM 2VM 1 VM 1
VMM??
IsolateIsolateIntelIntel®® VT & IntelVT & Intel®® TXTTXT
Intel® TXT
VMM
VM 2VM 1
9
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
Great Collaboration with OpSourceCloud Services Powered by Intel® Xeon® processor 7500 & E7 Series
−
Intel Xeon processor E7 series delivers world-record virtualization performance while delivering higher VM densities than any other industry- standard server in the market today3
State of the Art Hardware-based Security Technology−
Working with Intel on hardware-based security such as Intel® Trusted Execution Technology4 that can be used to verify the trustworthiness of a platform
Foundation for High Reliability−
Intel Xeon processor E7 series delivers extraordinary server reliability with automatic detection and correction of errors and interconnect error detection and recovery
−
Helps Opsource deliver on high-availability and cloud performance claims
With Intel technology, OpSource can enhance security, meet demanding customer requirements
& drive competitive prices
Slide 11 © 2011 OpSource, Inc. All rights reserved.
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
9/14/2011John Rowell, CTO
Slide 12 © 2011 OpSource, Inc. All rights reserved.
OpSource: Enterprise Cloud and Managed Hosting
•
OpSource provides Enterprise Cloud and Managed Hosting Services
•
Solutions for Enterprise, SaaS, Service
Providers (Telecom and Cloud Platforms)
•
A Dimension Data Company
•
Offices: Santa Clara, CA (HQ); Herndon, VA; Dublin, London, Bangalore
•
Unmatched Industry Experience–
SaaS
Hosting and Scaling Software-Oriented Architectures (SOA)
–
High Performance, Secure Cloud Computing
Slide 13 © 2011 OpSource, Inc. All rights reserved.
Polls Show Security as Top Concern about Public Cloud
•
64% of IT Bosses express concerns about whether corporate data would be secure inside cloud service providers' datacenters –
Forrester Research
•
56% of CFOs had not invested in public cloud services because of
fears over the security of sensitive data -
SunGard Availability Services Poll
Gartner 2009 Poll
Slide 14 © 2011 OpSource, Inc. All rights reserved.
Security is a Challenge for Utility Cloud Platforms
Slide 15 © 2011 OpSource, Inc. All rights reserved.
Defense-in-Depth Security Applied to the Cloud
Defense in depth is a best practice in which multiple layers of security controls (defense) are implemented to provide redundancy in the event a security control fails or a vulnerability is exploited.
Layers of DefenseIDS / IPSSegmentation- VLAN- Firewall
Authentication and Access ControlData EncryptionIncident ResponsePhysical Data Center SecurityMonitoring and Tuning
Slide 16 © 2011 OpSource, Inc. All rights reserved.
Defense #1: Intrusion Detection System
•
Fully-managed Intrusion Detection System (IDS) utilizing signature, protocol and anomaly based inspection methods
Slide 17 © 2011 OpSource, Inc. All rights reserved.
Defense #2: Network Segmentation Provides Security Controls
•
Customer Controlled Network Configuration – configurable Layer 2 VLANs:
–
Provide segmentation of public and private IP space
–
NAT and VIP functions expose only those IP addresses you want made public
•
Customizable ACL-based firewall rules allow control of access into each network VLAN:
–
Build multi-tier network architectures to separate data tiers from front-end web tiers to provide an additional layer of firewall rules to protect data
Slide 18 © 2011 OpSource, Inc. All rights reserved.
Defense #3: Authentication and Access Controls
•
VPN access for administration of all servers
•
Unique username and password for multiple administrators
•
Role-based permissions allow cloud administrators to create sub-admins
to manage only certain resources, such as servers, storage or networks
•
Audit logs and reporting
Slide 19 © 2011 OpSource, Inc. All rights reserved.
Defense #3 (con’t): Authentication and Access Controls
•
Intel®
TXT establishes a “hardware root of trust”
that can be used to verify the trustworthiness of a platform4
•
Applications for cloud computing• Base migration and workload placement decisions on the trustworthiness of the infrastructure• Control cloud workloads
Slide 20 © 2011 OpSource, Inc. All rights reserved.
Defense #4: Data Reliability & Security
•
The Intel®
Xeon®
processor E7 family offers an extensive and robust set of RAS features in silicon to provide error detection, correction, containment, and recovery in all processors, memory,
and I/O data paths
•
VPN Access
•
Data stored with 256-bit encryption at rest and 128-bit SSL encryption while
in transit
•
Working with Intel on utilizing Intel®
Advanced Encryption Standard -
New Instructions to reduce the performance penalties usually experienced with pervasive encryption5
Slide 21 © 2011 OpSource, Inc. All rights reserved.
Defense #5: 24x7 Incident Response
•
Incident Response Teams handle reports of security incidents. An
OSIRT will escalate the incident to law enforcement and/or executive management as prescribed in security policies
24 x 7 x 365
Slide 22 © 2011 OpSource, Inc. All rights reserved.
Defense #6: Datacenters – The Physical Security of the Cloud
•
Meet or Exceed Tier III Standards (highest commercially available datacenter rating)
•
All areas within facility are monitored with CCTV and onsite guards 24x7x365 surveillance and audit logs
•
Multiple layers of biometric two-factor authentication restricts access
Slide 23 © 2011 OpSource, Inc. All rights reserved.
Defense #7: Monitoring and Tuning
•
Edge-to-edge security, visibility and carrier-class threat management and remediation utilizing industry leading Arbor Networks Peakflow
•
Compares real-time network traffic against baseline definitions of normal network behavior, immediately flagging all anomalies due to security hazards such as:
–
Denial of Service (DoS) attacks
–
Distributed Denial of Service (DDoS) attacks
–
Worms or botnets
Slide 24 © 2011 OpSource, Inc. All rights reserved.
OpSource’s Approach to Ensuring Security
•
Defense in depth is a best practice with multiple layers of security controls
–
Cisco hardware-based networking
–
As part of best practice, intelligent servers are needed to secure clouds
–
Intel technology helps provide foundation for Trust, Security, & Compliance with Intel®
TXT and Intel®
AES-NI
–
Increases confidence that your data in the cloud is safe and secure
Layers of DefenseIDS / IPSSegmentation- VLAN- Firewall
Authentication and Access ControlData EncryptionIncident ResponsePhysical Data Center SecurityMonitoring and Tuning
Slide 25 © 2011 OpSource, Inc. All rights reserved.
Setup a Cloud Network to Secure Your Environment
Slide 26 © 2011 OpSource, Inc. All rights reserved.
Setup and Manage Cloud Servers
Network: Cisco-based firewall, VLAN, VPN and load balancing included
User Management: Role-based user controls; activity and usage reporting
Support: 24x7 phone support included; Managed Services
Flexibility: 1-8 CPU, 1-64GB RAM, 50GB-2.5TB local disk
Hybrid: Ability to deploy dedicated and cloud servers
Slide 27 © 2011 OpSource, Inc. All rights reserved.
Compliance Enhances Trust
•
Yearly certification and compliance audits to ensure security
HIPAABusiness Associate
Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon and Intel Core are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. All dates and products specified are for planning purposes only and are subject to change without notice. * Other brands and names maybe claimed as the property of others.
VOTE
•
Learning about how OpSource secures their cloud solution, including the use of Intel Technology has −Significantly increased my level of interest in OpSource’s Cloud
Solutions
−Slightly increased my level of interest in OpSource’s Cloud Solutions
−Has not changed my level of interest in OpSource’s Cloud Solutions
Continue Conversation
Paul Sathis
Director, Cloud Computing, Intel Americas
Intel Corporation
Twitter: @paulinthehouse
John RowellChief Technology OfficerOpSource Twitter: @johnrowell