How Data Encryption Can Be Used for Disaster Recovery in Public Clouds

Glynn Stokes - Trend Micro

Disaster Recovery in Public Clouds

Copyright 2011 Trend Micro Inc.

Why the Cloud MattersWhy the Cloud Matters

Speed & Business Impact

Expertise & PerformanceExpertise & Performance

Massive Cost Reduction

Copyright 2011 Trend Micro Inc.

AgendaAgenda

Cloud Computing Evolution

Security Challenges in the Cloud

A N A hit t f D t C t S itA New Architecture for Data Centre Security

Copyright 2011 Trend Micro Inc.

Different types of CloudsDifferent types of Clouds

Shared Resources Ability to charge for resources used

Virtualisation

Server Under Desk 19” Rack Computer Room

Copyright 2011 Trend Micro Inc.Classification 5/24/2011 4

The Evolving Data Centre

Stage 1Consolidation

Stage 2Expansion & Desktop

Stage 3Private > Public Cloud

g

85%

Servers

Cost-efficiency + Quality of Service + Business Agility

70%

15%

30%

15%

Desktops

Datacenters are evolving to drive down costs

Copyright 2011 Trend Micro Inc.

and increase business flexibility

Security Challenges Along the Journey to the Cloud

IT Production Business Production ITaaS

Data destruction

Multi-tenancy 10

11

Diminished perimeter

Data access & governance 8

9

71% of enterprises cite increases 71% of enterprises cite increases

Complexity of Management

Compliance/ Lack of audit trail

6

7in complexity in the effort needed in complexity in the effort needed to secure the business amid these to secure the business amid these

Resource Contention

Mixed trust level VMs

3

4

5

Instant on gaps

changes is major challenge.changes is major challenge.

1

2

3

Inter-VM attacks

Instant-on gaps

Host controls under deployed

Copyright 2011 Trend Micro Inc.

1Host controls under-deployed

Substance Emerging from Cloud Hypeg g y

Public Cloud for Backup & StoragePublic Cloud for Backup & StorageUsing public cloud services, GE reduced backup costs by 40% to 60%,

created reusable processes in a rapidly deployable model. Matt Merchant, General Electric (December 2009)

Pharmaceutical R&D and The Cloud“Drug behemoth Eli Lilly and Co. …uses Amazon's Elastic Compute Cloud (EC2) for scientific

collaboration and computations … because they empower many subsets of users.”collaboration and computations … because they empower many subsets of users. SearchCIO.com, 30 July 2009

Gartner Top 10 Strategic Technologies in 2010“Cl d C ti O i ti h ld thi k b t h t h th l d i t f“Cloud Computing. Organizations should think about how to approach the cloud in terms of

using cloud services, developing cloud-based applications and implementing private cloud environments.” SearchCIO.com, 22 October 2009

Cloud Computing & Security“CISOs and Security Architects: Don't let operations-led projects lower your security profile.

Engage in a discussion of the issues now, not after the fact.” Neil MacDonald Gartner (Gartner Data Center Conference December 2009)

Copyright 2011 Trend Micro Inc.

Neil MacDonald, Gartner (Gartner Data Center Conference, December 2009)

AgendaAgenda

Cloud Computing Evolution

Security Challenges in the Cloud

A N A hit t f D t C t S itA New Architecture for Data Centre Security

Copyright 2011 Trend Micro Inc.

Cloud Computing CompromisesCloud Computing Compromises

Google Gmail hacked by attacks originating in China (Financial Times)

Jan 2010:

Amazon EC2 customer Bitbucket taken offline by Distributed Denial of Service

k (Th R i )

Oct 2009:

Salesforce.com security breached.

attack (The Register)

Oct 2007: yRepeatedly hacked (Washington Post)

Enterprise security challenges continue in the cloud

Copyright 2011 Trend Micro Inc.

“The number one concern about cloud services is security.”

Frank Gens, IDC, Senior VP & Chief Analyst

Key Challenges/Issues to the Cloud/On-demand Model

Source: Source: IDC eXchange, "New IDC IT Cloud Services Survey: Top Benefits and Challenges," (http://blogs.idc.com/ie/?p=730) December 2009

Who Has Control?Who Has Control?

S Vi t li ti & P bli Cl dP bli Cl d P bli Cl dServers Virtualization & Private Cloud

Public CloudPaaS

Public CloudIaaS

Public CloudSaaS

End User (Enterprise) Service ProviderEnd-User (Enterprise) Service Provider

Copyright 2011 Trend Micro Inc.

Amazon Web Services™ Customer AgreementAmazon Web Services Customer Agreement

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so given the nature of the Internet Accordinglywe will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We stronglyprotection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content and (c) keep your Applications or any software that youarchive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion destruction or loss of any of Your Content or Applicationsdeletion, destruction or loss of any of Your Content or Applications.

http://aws.amazon.com/agreement/#7 (3 March 2010)

The cloud customer has responsibility for security and needs to plan for protection.

Copyright 2011 Trend Micro Inc.

Why Backup to the Cloud?Why Backup to the Cloud?

Copyright 2011 Trend Micro Inc.

AgendaAgenda

Cloud Computing Evolution

Security Challenges in the Cloud

A N A hi f D C S iA New Architecture for Data Centre Security

Copyright 2011 Trend Micro Inc.

Problem #1

“Outside-in” approach and rapid virtualization have created less secure application environmentscreated less secure application environments

Virtualization & Cloud Computing & p gCreate New Security Challenges

Inter-VMInter VM attacks PCI Mobility Cloud Computing

Hypervisor

Copyright 2011 Trend Micro Inc.

Security Challenges of Virtualization

Stage 1Server Consolidation

Stage 2Expansion & Desktop

Stage 3Private > Public Cloud

Servers85%

Desktops70%

30%Inter-VM attacksInstant ON gaps

Inter-VM attacksInstant-ON gaps

Mixed Trust Level VMs

Instant-ON gapsMixed Trust Level VMs

Resource ContentionMaintaining Compliance

15%Inter-VM attacksInstant-ON gaps

Resource ContentionMaintaining Compliance

g pService Provider

(in)SecurityMulti-tenancy

Problem #2

Data protection is the most pressing concern, but data is mobile distributed and unprotecteddata is mobile, distributed and unprotected.

Gartner recommends that any data leaving the data center be encrypted, which includes … cloud services.“E i T h l A l i St D t S it ” G t 25 N b 2009“Emerging Technology Analysis: Storage Data Security,” Gartner, 25 November 2009

18

Challenge of Securing DataChallenge of Securing Data

CloudData CentrePerimeter

CloudData Centre

Co

mp

any

Co

mp

any

Co

mp

any

Co

mp

any

Co

mp

any

Co

mp

any 1

Ap

p 2

Ap

p 1

Ap

p 3

Ap

p 1

Ap

p 2

Ap

p 3

Ap

p 4

Ap

p 5

Ap

p n

2 3 4 5 n

…

HypervisorHypervisor

Strong perimeter security

No shared CPUWeak perimeter security

Shared CPUNo shared network

No shared storageShared network

Shared storage

Copyright 2011 Trend Micro Inc.

Data Security Challenges in the CloudData Security Challenges in the Cloud

E ti l d

Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…

Encryption rarely used:- Who can see your information?

Storage volumes and servers are mobile: - Where is your data? Has it moved?Where is your data? Has it moved?

Rogue servers might access data: - Who is attaching to your storage?

Audit and alerting modules lacking:

Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…Audit and alerting modules lacking:

- What happened when you weren’t looking?

Encryption keys tied to vendor:- Are you locked into a single security solution?

Visa #: 4456 8732…

y g yWho has access to your keys?

Storage volumes contain residual data:- Are your storage devices recycled securely?

Data Protection for the CloudData Protection for the Cloud

Copyright 2011 Trend Micro Inc. 21

Policy-based Key Management in the CloudPolicy-based Key Management in the Cloud

Identity Integrity

“Is it mine?”

• Embedded keys

“Is it okay?”

• FirewallEmbedded keys• Location• Start-up time

Firewall• AV• Self integrity check

• etc • etc

Auto or Manual rules based key approval

Copyright 2011 Trend Micro Inc.

Challenges for Public Cloud:g

Multiple customers on The Private Security AnswerThe Private Security Answer1)1) A selfA self defending hostdefending host

Shared network inside the firewall

one physical server –potential for attacks via the hypervisor

Doesn’t matter – the

1)1) A selfA self--defending hostdefending host2)2) Encrypted Encrypted datadata

the firewall edge of my virtual machine is protectedDoesn’t matter – treat

the LAN as public

InternetShared StorageShared

FirewallShared firewall –Lowest common denominator less fine

Shared storage – is t t ti

Virtual Servers

denominator – less fine grained control

customer segmentation secure against attack?

Easily copied machine images – who else has your server?Doesn’t matter – treat

the LAN as publicDoesn’t matter – They

Doesn’t matter – My data is encrypted

Copyright 2011 Trend Micro Inc.

ycan start my server but only I can unlock my data

A New Security Architecture For A New EraA New Security Architecture For A New EraAll environments should be considered untrusted

Users access appUsers access app

Public CloudDatacenter Public CloudDatacenter • Facilitates movement between datacenter & cloud

• Delivers control, security and compliance through encryptionA id i id l k iHost defends

itself from attack• Avoids service provider lock-in• Enables secure storage recycling

Data encrypted within the server

Encryption keys

Encrypted D t

controlled by you

D tD tD t

Copyright 2011 Trend Micro Inc.

Data DataDataData

The Data Centre Is ChangingThe Data Centre Is Changing

Have your security strategies changed accordingly?

1. Improve Server Defences (supplement with IDS/IPS, FW, Application security)- Implement full audit and monitoring of virtualized environments

2. Use available virtualisation APIs for higher levels of it ith i l tisecurity with simpler operations

3. Add virtualisation-aware agents where needed

4. Implement enterprise managed encryption to secure data in the cloud

Copyright 2011 Trend Micro Inc. 25

Thank youThank you

Copyright 2011 Trend Micro Inc.Trend Micro Confidential 5/24/2011 26