Upload
wen-pai-lu
View
245
Download
0
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. 1 © 2010 Cisco and/or its affiliates. All rights reserved. 1
Wen-Pai Lu, Ph.D.
Cloud Security: A New Perspective Technical Leader
CloudCon, 2014
Dalian, China
© 2012 Cisco and/or its affiliates. All rights reserved. 2
© 2012 Cisco and/or its affiliates. All rights reserved. 3
The Meaning of Cloud
Quick recap
Public Private Hybrid Community
Where?&&Deployment*Models*
Virtual Private
�
What? Essential Characteristics (NIST)
Measured Services
Rapid Elasticity
Resource Pooling
�
Self Service Broad
Access
How?&Service*Models*
SaaS
PaaS
IaaS
© 2012 Cisco and/or its affiliates. All rights reserved. 4
Security is still the biggest obstacles to Cloud Adoption
#1 Security policies
#2 Secure Connectivity
#3 Changed architecture Integration
#4 QoS, SLAs, WaaS, AVC, VPN
Forrester & Cisco report on Cloud market – 2013
© 2012 Cisco and/or its affiliates. All rights reserved. 5
It is all About Data – Protecting your Data is the No. 1 Priority
© 2012 Cisco and/or its affiliates. All rights reserved. 6
Cloud Security is About …
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Cloud Security: Defined “In the Cloud”
Secure Cloud Infrastructure Private Cloud
Virtualized App Servers
In#the#Cloud:#Security)(products,)solu1ons))instan1ated)as)an)opera1onal)capability)deployed)within)Cloud)Compu1ng)environments.)Examples:))Routers,)Firewalls,)IPS,)AV,)WAF,)…)
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Cloud Security: Defined “For the Cloud”
Secure Cloud Access
Public Cloud
Secure Cloud Infrastructure
For$the$Cloud:$Security)services)that)are)specifically)targeted)toward)securing)OTHER)Cloud)Compu=ng)services,)delivered)by)Cloud)Compu=ng)providers.)
© 2012 Cisco and/or its affiliates. All rights reserved. 9
Cloud Security: Defined “By the Cloud”
Secure Cloud Infrastructure
Cloud Security Services
Internet
Email Web Secure Mobility
By#the#Cloud:#Security)services)delivered)by)Cloud)Compu3ng)services)which)are)used)by)providers)
Securing Cloud Access
Secure Cloud Infrastructure
© 2012 Cisco and/or its affiliates. All rights reserved. 10
Infrastructure Security
Load Balancer
SSL Termination
Web App Firewall
Firewall IDS/IPS
Public Cloud (Hosted)
Enterprise Cloud (Hosted)
SP Broadband
Access
Access
Access Virtualized Security in Private Cloud: • vASA, ASAv • Nexus 1000v • VSG • TrustSec
Physical Security: • ASA • SourceFire • Trustsec
Secure bridging (#2) • Nexus 1000v InterCloud
VPC Isolation • Nexus 1000v InterCloud
Enabling virtualized Security in Public Cloud (#1,#3): • Nexus 1000v InterCloud • VSG, ASA 1000v • Nexus 1000v • vASA
Enabling secure L3 access to Cloud, WAN services (#2, #4) • CSR 1000v
© 2012 Cisco and/or its affiliates. All rights reserved. 11
• More moving parts, ore Complex,
• Code Execution from VM Guest to Host
• Service Console Flaws • New Configuration Controls • Segmentation and Separation • Hypervisor Security • OS Security • Side Channel Attacks • Monitoring & Visibility • Virtual Security Products
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Applications & Software
© 2012 Cisco and/or its affiliates. All rights reserved. 13
• ISO 27001 Adherence
• Power Supply
• Cooling
• Fire and Flood Damage
• Facilities Access Right
• Policy
• Facility and Personnel Monitoring
• Physical Risk Assessments
• Remediation Plan
• Network Cable accessible in public access area
© 2012 Cisco and/or its affiliates. All rights reserved. 14
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Background Check
• HR Hiring Policy
• Security Awareness and Training
• Ongoing data and system access rights
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Control Standards such as SSAE 16 SOC 1 or SOC 2
• PIC, HIPAA, FISMA, SOX, or local standards
• Baseline of Compliance Needs
• “Boundaries” where Compliance applies
• Required Controls for Compliance Mandates, like GRC, CCM, etc.
• Responsible Parties
• Legal Impacts and Ramifications
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• What is your BCP and DR plan?
• Who is responsible?
• Which part of your DATA should be included in the planning
• Backup Strategy
• RTO & RPO Objectives
• DR Process
© 2012 Cisco and/or its affiliates. All rights reserved. 18
1. Data Breaches
2. Data Loss
3. Account or Service Traffic Hijacking
4. Insecure Interfaces and APIs
5. Denial of Services
6. Malicious Insiders
7. Abuse Cloud Services
8. Insufficient Due Diligence
9. Share Technology Vulnerabilities https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
© 2012 Cisco and/or its affiliates. All rights reserved. 19
Where is Your DATA?
© 2012 Cisco and/or its affiliates. All rights reserved. 20
Cloud Security is all About….
• Confidentiality • Integrity • Available
• Compliance • Governance • Risk Management
© 2012 Cisco and/or its affiliates. All rights reserved. 21
• Shift of Telco Business moves toward Application Centric
• Business is Measured by $ per Services
• Network Services move from Appliance Centric to Software-based
• Cloud becomes Key Enable in their New Business Model
Voice Centric
Frame Relay
ISDN
ATM
QAM
T1, DS3
PSTN
SMDS X.25
$ per Call
Data Centric
VOIP L2/L3 VPNs
VOD
Streaming Video
Triple Play
Cellular Data
IPTV SP Wi-Fi
$ per mbs
Hosted Collaboration
Elastic Load Balancing
Disaster Recovery
Security AAS
Bandwidth On-Demand
Cloud Storage
Application Centric
$ per Service
Wave of Business
© 2012 Cisco and/or its affiliates. All rights reserved. 22
Orchestra)on/Management&APIpervService
Security As A Service & Threat Defense Elastic Security Services Architecture
Internet L2 VPN L3 VPN
Ubiquitous Ethernet Access Node
Satellite, EoMPLS, MPLS-TP, etc Private Cloud
Residential Customer
Remote POP
A9K Cluster
Managed Router vWAAS
Security DPI
vASA vWSA SBC
3rd Party
Hypervisor*
UCS**and/or*On*Box*Compute*Resources*
OS* OS* OS* OS* OS*
IronPort Service insertion/chaining
UCS*or*VSM/Forge*
vASA vWSA SBC
Scansafe SBC
Controller
© 2012 Cisco and/or its affiliates. All rights reserved. 23
New Cloud Service Offering by “CSP”
Software Define Network (SDN) Network Function Virtualization (NFV)
Business'Applica-ons'Business'Applica-ons'Business'Applica-ons'
Business'Applica-ons'Business'Applica-ons'Network'Services'
Network'Services'
Control''Layer'
Applica-on'Layer'
NFV'O
rchestra-on'and'Managem
ent'
Compute' Network' Storage'
Hardware'Resources'
Virtualiza-on'Layer'
Virtual'Compute'
Virtual'Network'
Virtual'Storage'
NFV'Infrastructure'(NFVI)'
VNF'
VNF'VNF'
VNF' VNF'
VNF'
VNF'
API' API'API'
Infrastructure'Layer'
OSS/BSS'
© 2012 Cisco and/or its affiliates. All rights reserved. 24
• Application API vulnerability
• Service Hijacking
• Virtualization Attacks
• Distribution Denial of Attacks
• Hardware and Software Hardening
• Malicious Insiders
• Insufficient Due Diligence
• Share Technology Vulnerabilities
• Segmentation and Isolation
• Identity of Devices, Users, Roles and Location
• Traffic Sniffing
• Unified Cloud Access Security
• Threat Visibility
• Dynamic Security Enforcement
• Security Ecosystem
• And much more …
© 2012 Cisco and/or its affiliates. All rights reserved. 25
From Enterprises (End Users) • Information Security – Security of Data and
Services
• Data Life Cycle – Generation, Use, Transfer, Transformation, Storage, Archive and Destruction
• IT Service Continuity – Business Continuity and Disaster Recovery
• Incident Management – how soon CSP can restore services, and Intrusion Detection
• Change Management – Standardize methods and procedures for efficient of all changes
• Data Loss and Breaches
• Infrastructure Security – Network, Compute, Storage, Access Control, etc.
• Compliances and Standards
From Service Providers • Service Asset – for maintain information about
Configuration Items (CI) required to deliver Cloud Services
• Configuration Management
• Demand Management – prepare for such demands
• Capacity Management – Availability of sufficient capacity
• Request Fulfillment – process for fulfilling service request
• Branding and Publicity
• Service Availability – lose of Revenue and Trust
• Management and Operations
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• Cloud Security is not only about Data Protection
• Data Protection includes both Data At Rest and Data In Transit
• Need to Implement Data Life Cycle with CSP
• Infrastructure Security provides required Protection for your Data in the Cloud
• Need to do your due Diligent – Cloud Risk Analysis and Security Assessment
• Other “Hard” Security Considerations include Identity and Access Management, Physical Facilities Security, DR and BDP, and Intrusion Detection and Incident Responses
• “Soft” Security Considerations include Compliances and Legal Considerations, Audit for the Cloud, Policy, Contracts with CSP, and Governance
• DO YOUR HOME WORK to know what YOU are Getting
© 2012 Cisco and/or its affiliates. All rights reserved. 27
Thank you. Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Backup