Cloud Security: A New Perspective

© 2012 Cisco and/or its affiliates. All rights reserved. 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1

Wen-Pai Lu, Ph.D.

Cloud Security: A New Perspective Technical Leader

CloudCon, 2014

Dalian, China

© 2012 Cisco and/or its affiliates. All rights reserved. 2


The Meaning of Cloud

Quick recap

Public Private Hybrid Community

Where?&&Deployment*Models*

Virtual Private

�

What? Essential Characteristics (NIST)

Measured Services

Rapid Elasticity

Resource Pooling

�

Self Service Broad

Access

How?&Service*Models*

SaaS

PaaS

IaaS


Security is still the biggest obstacles to Cloud Adoption

#1 Security policies

#2 Secure Connectivity

#3 Changed architecture Integration

#4 QoS, SLAs, WaaS, AVC, VPN

Forrester & Cisco report on Cloud market – 2013


It is all About Data – Protecting your Data is the No. 1 Priority


Cloud Security is About …


Cloud Security: Defined “In the Cloud”

Secure Cloud Infrastructure Private Cloud

Virtualized App Servers

In#the#Cloud:#Security)(products,)solu1ons))instan1ated)as)an)opera1onal)capability)deployed)within)Cloud)Compu1ng)environments.)Examples:))Routers,)Firewalls,)IPS,)AV,)WAF,)…)


Cloud Security: Defined “For the Cloud”

Secure Cloud Access

Public Cloud

Secure Cloud Infrastructure

For$the$Cloud:$Security)services)that)are)specifically)targeted)toward)securing)OTHER)Cloud)Compu=ng)services,)delivered)by)Cloud)Compu=ng)providers.)


Cloud Security: Defined “By the Cloud”


Cloud Security Services

Internet

Email Web Secure Mobility

By#the#Cloud:#Security)services)delivered)by)Cloud)Compu3ng)services)which)are)used)by)providers)

Securing Cloud Access



Infrastructure Security

Load Balancer

SSL Termination

Web App Firewall

Firewall IDS/IPS

Public Cloud (Hosted)

Enterprise Cloud (Hosted)

SP Broadband

Access

Access

Access Virtualized Security in Private Cloud: •  vASA, ASAv •  Nexus 1000v •  VSG •  TrustSec

Physical Security: •  ASA •  SourceFire •  Trustsec

Secure bridging (#2) •  Nexus 1000v InterCloud

VPC Isolation •  Nexus 1000v InterCloud

Enabling virtualized Security in Public Cloud (#1,#3): •  Nexus 1000v InterCloud •  VSG, ASA 1000v •  Nexus 1000v •  vASA

Enabling secure L3 access to Cloud, WAN services (#2, #4) •  CSR 1000v


•  More moving parts, ore Complex,

•  Code Execution from VM Guest to Host

•  Service Console Flaws •  New Configuration Controls •  Segmentation and Separation •  Hypervisor Security •  OS Security •  Side Channel Attacks •  Monitoring & Visibility •  Virtual Security Products


Applications & Software


•  ISO 27001 Adherence

•  Power Supply

•  Cooling

•  Fire and Flood Damage

•  Facilities Access Right

•  Policy

•  Facility and Personnel Monitoring

•  Physical Risk Assessments

•  Remediation Plan

•  Network Cable accessible in public access area



•  Background Check

•  HR Hiring Policy

•  Security Awareness and Training

•  Ongoing data and system access rights


•  Control Standards such as SSAE 16 SOC 1 or SOC 2

•  PIC, HIPAA, FISMA, SOX, or local standards

•  Baseline of Compliance Needs

•  “Boundaries” where Compliance applies

•  Required Controls for Compliance Mandates, like GRC, CCM, etc.

•  Responsible Parties

•  Legal Impacts and Ramifications


•  What is your BCP and DR plan?

•  Who is responsible?

•  Which part of your DATA should be included in the planning

•  Backup Strategy

•  RTO & RPO Objectives

•  DR Process


1.  Data Breaches

2.  Data Loss

3.  Account or Service Traffic Hijacking

4.  Insecure Interfaces and APIs

5.  Denial of Services

6.  Malicious Insiders

7.  Abuse Cloud Services

8.  Insufficient Due Diligence

9.  Share Technology Vulnerabilities https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf


Where is Your DATA?


Cloud Security is all About….

•  Confidentiality •  Integrity •  Available

•  Compliance •  Governance •  Risk Management


•  Shift of Telco Business moves toward Application Centric

•  Business is Measured by $ per Services

•  Network Services move from Appliance Centric to Software-based

•  Cloud becomes Key Enable in their New Business Model

Voice Centric

Frame Relay

ISDN

ATM

QAM

T1, DS3

PSTN

SMDS X.25

$ per Call

Data Centric

VOIP L2/L3 VPNs

VOD

Streaming Video

Triple Play

Cellular Data

IPTV SP Wi-Fi

$ per mbs

Hosted Collaboration

Elastic Load Balancing

Disaster Recovery

Security AAS

Bandwidth On-Demand

Cloud Storage

Application Centric

$ per Service

Wave of Business


Orchestra)on/Management&APIpervService

Security As A Service & Threat Defense Elastic Security Services Architecture

Internet L2 VPN L3 VPN

Ubiquitous Ethernet Access Node

Satellite, EoMPLS, MPLS-TP, etc Private Cloud

Residential Customer

Remote POP

A9K Cluster

Managed Router vWAAS

Security DPI

vASA vWSA SBC

3rd Party

Hypervisor*

UCS**and/or*On*Box*Compute*Resources*

OS* OS* OS* OS* OS*

IronPort Service insertion/chaining

UCS*or*VSM/Forge*

vASA vWSA SBC

Scansafe SBC

Controller


New Cloud Service Offering by “CSP”

Software Define Network (SDN) Network Function Virtualization (NFV)

Business'Applica-ons'Business'Applica-ons'Business'Applica-ons'

Business'Applica-ons'Business'Applica-ons'Network'Services'

Network'Services'

Control''Layer'

Applica-on'Layer'

NFV'O

rchestra-on'and'Managem

ent'

Compute' Network' Storage'

Hardware'Resources'

Virtualiza-on'Layer'

Virtual'Compute'

Virtual'Network'

Virtual'Storage'

NFV'Infrastructure'(NFVI)'

VNF'

VNF'VNF'

VNF' VNF'

VNF'

VNF'

API' API'API'

Infrastructure'Layer'

OSS/BSS'


•  Application API vulnerability

•  Service Hijacking

•  Virtualization Attacks

•  Distribution Denial of Attacks

•  Hardware and Software Hardening

•  Malicious Insiders

•  Insufficient Due Diligence

•  Share Technology Vulnerabilities

•  Segmentation and Isolation

•  Identity of Devices, Users, Roles and Location

•  Traffic Sniffing

•  Unified Cloud Access Security

•  Threat Visibility

•  Dynamic Security Enforcement

•  Security Ecosystem

•  And much more …


From Enterprises (End Users) •  Information Security – Security of Data and

Services

•  Data Life Cycle – Generation, Use, Transfer, Transformation, Storage, Archive and Destruction

•  IT Service Continuity – Business Continuity and Disaster Recovery

•  Incident Management – how soon CSP can restore services, and Intrusion Detection

•  Change Management – Standardize methods and procedures for efficient of all changes

•  Data Loss and Breaches

•  Infrastructure Security – Network, Compute, Storage, Access Control, etc.

•  Compliances and Standards

From Service Providers •  Service Asset – for maintain information about

Configuration Items (CI) required to deliver Cloud Services

•  Configuration Management

•  Demand Management – prepare for such demands

•  Capacity Management – Availability of sufficient capacity

•  Request Fulfillment – process for fulfilling service request

•  Branding and Publicity

•  Service Availability – lose of Revenue and Trust

•  Management and Operations


•  Cloud Security is not only about Data Protection

•  Data Protection includes both Data At Rest and Data In Transit

•  Need to Implement Data Life Cycle with CSP

•  Infrastructure Security provides required Protection for your Data in the Cloud

•  Need to do your due Diligent – Cloud Risk Analysis and Security Assessment

•  Other “Hard” Security Considerations include Identity and Access Management, Physical Facilities Security, DR and BDP, and Intrusion Detection and Incident Responses

•  “Soft” Security Considerations include Compliances and Legal Considerations, Audit for the Cloud, Policy, Contracts with CSP, and Governance

•  DO YOUR HOME WORK to know what YOU are Getting


Thank you. Thank you.


Backup