How Secure is Your Private Cloud?

HOW SECURE IS YOUR PRIVATE CLOUD?Peter BuryEnterpr ise Technology Specia l is t In te l Secur i ty

27 September 2016

Have a question for the speaker? Text

it in using the Ask A Question button!

Audio is streamed over your computer

Technical issues? Click the ? button

Use the Feedback button to share your

feedback about today’s event

Questions or suggestions about our

webinar series? Visit support.isaca.org

Use the Attachments button to

find the following:

PDF of today’s presentation

Link to the Event Home Page where

ISACA members can find the CPE Quiz

MORE information about upcoming

CSX events

MORE assets from today’s webcast

WELCOME

2

[Your Full Name]

[Your Title]

[Your Company Name]

TODAY’S SPEAKER

Peter Bury

Enterprise Technology Specialist

Intel Security

3

AGENDA

• Which style of Cloud is right for you?

• What does a Private Cloud look like?

• Workload Security

• Infrastructure Security

4

THE DATA CENTER IS TRANSFORMING

200%Public Cloud Services spending to double from 2015 to 20201

40%of data will be stored or processed by the cloud by 20202

54%CAGR of SDN* and NFV** investments by 20204

78%of workloads will be processed in cloud by 20183

1

0

0

1

1

0

0

1

1

1

0

0

0

1

0

1

1

0

1

1

0

0

0

1

0

0

1

1

0

1

$

*Software-Defined Network**Network Function Virtualization

5

Va

lue a

nd

Co

mp

lexity

Physical

Datacenter

Virtual

Datacenter

Private

Cloud

PaaS

IaaS

SaaS

6

Are you currently running a cloud transformation project where you need to decide between using private or public cloud?

A. Yes

B. No, not currently, but have in the past

C. No, never

POLLING QUESTION 1

7

Public to Private

• UK Telco - £450,000/month on public cloud services

• UK Media Group - £250,000/month on public cloud services

TRANSFORM

8

WHY CLOUD?

Physical to Public

WHY CLOUD?

• EMEA Governmental Cloud First Strategies

• Highly Automated - Running across multiple providers (AWS, Azure, Oracle, SoftLink)

• Aim to be 100% Public Cloud

• Security is still an issue, but believed to be doable

TRANSFORM

9

Physical

Datacenter

Virtual

DatacenterPrivate

Cloud

Public

Cloud

Security

Complexity / Defense

in Depth

Visibility

Speed

Dynamic

Environment

Increased Complexity

Technology Silos

Automation

Rely on provider SLAs

Shadow IT

Maintaining Inventory

No Source of Truth

Access &

Authentication

Shared Infrastructure

Demonstrable

Security

10

RESULTING CHALLENGES

10

UNDERSTANDING SHARED RESPONSIBILITY

Application Platform, Identity and Access Management

Customer Data

Provider Global Infrastructure(Regions, Availability Zones, Edge Locations)

Storage

Operating System, Network and Firewall Configuration

Client side Data Encryption,

Data Integrity Authentication

Server-side Encryption(File System and/or data)

Network Traffic Protection (Encryption/Integrity/Identity)

Compute NetworkingDatabase

Customer(Responsible for

security ‘in’ the

cloud)

IaaS

Provider(Responsible for

security ‘of’ the

cloud)

PaaS

Provider

SaaS

Provider

11

Have security concerns ever hampered a cloud project in your organization?

A. Yes, security concerns stopped our cloud project

B. Yes, security concerns altered our preferred architecture

C. Yes, security concerns slowed down the project and drove up costs

D. No, we dealt with security concerns as part of the project

E. No, we ignored security concerns and went ahead

POLLING QUESTION 2

12

BEFORE YOU CAN FIND A NEEDLE IN A HAYSTACK …YOU NEED TO BUILD A HAYSTACK

13

Physical

Datacenter

Virtual

Datacenter

Private

Cloud

Public

Cloud

CONSISTENT VISIBILITY

CONSISTENT MANAGEMENT

CONSISTENT POLICY

CONSISTENT THREAT INTELLIGENCE

1

4

A STRATEGY FOR HYBRID DATACENTER

14

What does a Private Cloud look like?

#1 PHYSICAL DATACENTER

INFRASTRUCTURE

COMPUTE COMPUTE COMPUTECOMPUTECOMPUTE

Management Management Management

Network, Compute,

Security, Storage, etc

Compute, Security

Network, Security

16

#2 VIRTUAL DATACENTER

Network & ACLs


Virtual Switch Virtual Switch

PNIC PNIC

DR and Consolidation

Split Domain

Static

Many people stop here

Management Management Management Management

17

#3 PRIVATE CLOUD

INFRASTRUCTURE


Management Management Management

SDx Platform:

Virtualization

Compute

Network

Security

Providing:

Automation

Scalability

Extensibility

Service Portal

Automation & Orchestration

Management

18

Cloud Workload Security

IaaSDiscovery & Monitoring

Cloud Connectors

Platform Enabled

Protection

AV

Virtual IPS

Augmented with ServerProtection

App/Change Control

EDR

App/Content Security

Sec forDatabases

Sec for SharePoint

Sec for Storage

BLUEPRINT FOR A SECURE CLOUD AND HYBRID DATACENTER

Security Management

Compute Network Storage

Physical DC + Virtual DC + Public Cloud

= Hybrid Data Center

Databases Web AppsEnterprise

Apps

Intelligence Sharing

20

SOFTWARE-DEFINED DATA CENTER (SDDC) SECURITY FUNCTIONAL REQUIREMENTS

CAN WE DELIVER SECURITY THROUGH INFRASTRUCTURE?

East / West

Traffic

Security inspection

within the perimeter

AND the hypervisor

Workload migration

Widely distributed inspection capability

New workload

protection

Inspect new

workload traffic

immediately

Integrate with

SDDC Security

Security doesn’t

impact performance

and availability

21

Security

Management

Finance

Security

Group

HR

Security

Group

Production

Security

Group

DMZ

APP

DB

Services

IN-DEPTH PROTECTION FOR EAST-WEST TRAFFIC FLOWS IN VMWARE ENVIRONMENTS

Perimeter

firewall

distributed

firewall

Open Security

Controller

Security

Functions

Catalog

McAfee Network

Security Manager

vNSP

vNSP

vNSP

vNSP

vNSP

vNSP

N

S

X

22

ON THE WORKLOAD: AV OPTIMIZED FOR THE PRIVATE CLOUD

McAfee ePO

Data Center

VMware vSphere

VMware NSX or vShield Endpoint

VM

VMtools

VM

VMtools

MOVESVM

Virtual Infrastructure

VMMOVE

VMMOVE


VMMOVE

VMMOVE

VMMOVE


VMMOVE

NSX/vShield

Manager

VMware vSphere


VM

VMtools

VM

VMtools

MOVESVM

Agentless

• An SVM protects all the VMs on its hypervisor

• ePO is tightly integrated with VMware NSX

23

ON THE WORKLOAD:AV OPTIMIZED FOR THE PRIVATE CLOUD

McAfee ePO

Data Center

VMware vSphere


VM

VMtools

VM

VMtools

MOVESVM


VMMOVE

VMMOVE

MOVESVM


VMMOVE

VMMOVE

VMMOVE


VMMOVE

MOVESVM

MOVE

SVA

Manager

NSX/vShield

Manager

VMware vSphere


VM

VMtools

VM

VMtools

MOVESVM

Multi-platform

• An SVM can protect 200-400 VMs

• SVA Manager acts as a Load Balancer & provisions SVMs elastically

Agentless

• An SVM protects all the VMs on its hypervisor

• ePO is tightly integrated with VMware NSX

24

CONFIGURE POLICY WITH INFRASTRUCTURE SECURITY GROUPS

Select elements to

uniquely identify

application workloads

Use attributes to create

Security Groups

Apply policies to

security groups

1 2 3

ABCDEF

GroupXYZ

App 1

OS: Windows 8

TAG: “Production”

Enforce policy based on logical constructs

Reduce configuration errors

Policy follows VM, not IP

Reduce rule sprawl and complexity

Use security groups to abstract policy from

application workloads.

GroupXYZ

Policy 1“IPS for Desktops”“FW for Desktops”

Policy 2“AV for Production”“FW for Production”

Element type

Static Dynamic

Data center

Virtual net

Virtual machine

vNIC

VM name

OS type

User ID

Security tag

25

AUTOMATE SECURITY OPERATIONS

ACTION (then)ATTRIBUTE (if)

Virus found

IIS.EXEVulnerability found (old software version)

“PCI”

Sensitive Data Found

Allow & Encrypt*

Restrict access

while investigating

OR

Automated detection of security

conditions

(virus, vulnerability, etc.)

Security policies define

automated actions

Security operations are automated and adapt to

dynamic conditions

Monitor VMwith IPS

Quarantine VM with Firewall

26

HYBRID DATACENTER SOLUTIONS

EFFICIENCYEFFECTIVENESS AGILITY SPEED

Single platform to meet cloud

compliance and cyber

security requirements for all

cloud operating models

Leveraging the same

security platform for

all cloud operating

models reduces

training requirements

and simplifies audit

reporting

DXL provides

capability to easily add

new control points

Leveraging the same

security platform for

all cloud operating

models decreases

Time to Value

27

Questions?

www.intelsecurity.com/privatecloudsecurity

THANK YOU FOR

ATTENDING THIS

WEBINAR

For more information, visit www.ISACA.org

THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL

FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING

THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-

INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.

YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS

DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND

THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE

PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR

CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF

THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING

PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE

APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This

webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or

transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).