CW13 Securing Your Journey to the Cloud by Rami Naccache

Securing Your Journey to the Cloud

Rami Naccache – Sr. Presales EngineerTrend Micro Middle East

Data Center Evolution: Physical. Virtual. Cloud.

115/13/2013 Copyright 2013 Trend Micro Inc.

PhysicalDesktops & Servers

DesktopVirtualization

Server Virtualization

PrivateCloud

Hybrid Cloud Public Cloud

Mobile

BYOPC

Journey to the Cloud

Where is Your Data?


Copyright 2013 Trend Micro Inc.

Empower the business:Improve business agility by providing quick and

intuitive access to the right information, tools

and applications

Mitigate the risk:Protect sensitive information to maintain brand

and comply with regulations,

while controlling costs

CIO

BranchOffices

Main Campus

Mobile Workers

Fixed Telecommuters

Internet

DataCenter

SaaS

IaaSPrivatePublic

ENDPOINT

Infection via Social Engineering

Heavy User Touch Environment

Consumerization is key trend

SERVER

Infection via Threat Injection

Locked Down Mission-Critical Env.

Virtualization/Cloud is key trend

Journey to the Cloud

Endpoint and Server Security Diverging

Virtual CloudPhysical

Cross-platform Security

One Security Model is Possible across Physical, Virtual, and Cloud Environments

• New platforms don’t change the threat landscape

• Each platform has unique security risks

• Integrated security is needed across all platforms


Platform-specific Security Risks

One Security Model is Possible across Physical, Virtual, and Cloud Environments

Visibility & Threats

• Less visibility

• More external risks

Performance & Threats

• Security degrades

performance

• New VM-based threats

Manageability

• Glut of security products

• Less security

• Higher TCO


Increase Efficiency Deliver AgilityReduce Complexity

Integrated Security

Single Management Console


Physical

Consolidate Physical Security

Reduce Complexity

Advanced Reporting

Module

Single Management

Console

Firewall

HIPS /

Virtual

Patching

File Integrity

MonitoringAntivirusLog

Inspection

Web

Application

Protection

One Server Security Platform

Reduce Complexity


Virtual

Server and Desktop Virtualization Security

Increase Efficiency

Typical AV

Console3:00am Scan

Antivirus Storm

Automatic security scans overburden the system

Virtualization Security

Challenge: Resource Contention


Reactivated and cloned VMs can have out-of-date security

Dormant


Challenge: Instant-on Gaps

Active

Reactivated with

out dated security Cloned


Attacks can spread across VMs


Challenge: Inter-VM Attacks / Blind Spots



VM sprawl inhibits compliance

Challenge: Complexity of Management

Patch

agents

Rollout

patterns

Provisioning

new VMs

Reconfiguring

agents


• Antivirus

• Integrity Monitoring

Agentless Security for VMware — Antivirus and more

VM VM VM

The Old WaySecurity Virtual Appliance

VM VM VM

With Agentless Security

VM

• Intrusion Prevention

• Virtual Patching

• Firewall

• Web Application Protection


What is the Solution? A Dedicated Security Virtual Appliance

VM VM VM VMVM VM

Maximizes Performance and ROI


Sources: Tolly Enterprises Test Report, Trend Micro Deep Security vs. McAfee and Symantec, February 2011;

Saving estimate based on VMware ROI calculations

0 10 20 30 40 50 60 70 80

Traditional AV

Agentless AV

VM’s per host

75

25 3X higher VDI VM consolidation ratios

3-year Savings on 1000 VDI VMs = $539,600


Increased ROI with Agentless Security

Example: Agentless Antivirus


Security Virtual Appliance

VM VM VM

With Agentless Security

VM


What is the Solution? Layered, Virtualization-Aware Security in One Platform

VM VM VM VMVM VM

Protect your efforts to consolidate servers,

enable VDI, and support consumerization

Integrated Modules:

• Antivirus

• Integrity Monitoring

• Intrusion Prevention

• Web Application Protection

• Application Control

• Firewall

• Log Inspection

SimplifiedManagement

HigherDensity

OptimizedResources

StrongerSecurity


vShield

Endpoint

Security Virtual

Appliance

Other

VMware

APIs

Security agent

on individual VMs

Integrates

with

vCenter

Antivirus

Agentless

Agentless

IDS / IPS

Web Application Protection

Application Control

Firewall

Log Inspection

Agent-based


Integrity Monitoring

vSphere

Virtual

Environment


Fitting into the VMware Ecosystem


Hypervisor-integrated agentless antivirus released in Nov. 2010

1000 agentless security customers in the first year

Over 250,000 VMs are licensed for agentless antivirus

Agentless FIM released in 2012

Multiple agentless security modules now available

Largest customer purchase is 8,000 VMs

Most dense deployment is 300 VMs/host

“Deep Security provides a robust set of tools to add to your toolbox.

The realized performance improvement is visible to the naked eye.”

- Ed Haletky, Virtualization Practice (www.virtualizationpractice.com)


Trend Micro Market MomentumAgentless Security


AM Scan Performance

5/13/2013 19Copyright 2013 Trend Micro Inc.

1st AM

scan

2nd AM

scan

(cached)

Scan time ~ 20x faster

Significant DSVA CPU

Reduction

Huge IO Volume

Reduction

Cloud Computing

Cloud Deployments and Security

Deliver Agility

Additional Resources

• Scalability

• Cost savings

Provides business agility

Data Access

• Anytime, anywhere

• Device flexibility

Supports BYOD and consumerization

Security is the

#1 cloud adoption inhibitor

Sources: 1) Security Catalyst. Barometer Assessment: Final Report, Oct 14, 2011; 2) Trend Micro Survey, May 2011

Cloud Security

Why Companies Turn to the Cloud


Who is responsible for security?

• With IaaS the customer is responsible for VM-level security

• With SaaS or PaaS the service provider is responsible for security

Public Cloud

PaaS

Public Cloud

IaaS

Servers Virtualization &

Private Cloud

End-User (Enterprise) Service Provider

Public Cloud

SaaS

Cloud Security

Cloud Models: Who Has Control?

22Copyright 2013 Trend Micro Inc.5/13/2013

Cloud Security

Challenge: Multi-tenancy / Mixed Trust Level VMs

Shared resources creates a mixed trust level environment


Cloud Security

Challenge: Data Access and Governance

Cloud data can provide less visibility and control

1001001101101100


1001101110

00101

Cloud Security

Challenge: Data Destruction

When data is moved, unsecured data remnants can remain

1001101110

00101

100110

00101


Patient Medical RecordsCredit Card Payment

InformationSensitive Research ResultsSocial Security Numbers

• Unreadable for

unauthorized users

• Control of when and

where data is accessed

• Server validation

• Custody of keys

Encryptionwith Policy-based

Key Management

Cloud Security

Modular Protection

• Self-defending VM security

• Agentless and agent-based

• One management portal for

all modules, all deployments

vSphere & vCloud

Cloud Security

What is the Solution? Workload and Data Protection

Integration ensures servers have up-to-date

security before encryption keys are released

http://aws.amazon.com/

http://www.eucalyptus.com/

http://www.rightscale.com/index.php

VM VM VM VMVM VM VM VMVM VM VM VM

Data Center Private Cloud Public Cloud

VMware vCloud

VMware

vSphere

Encryption throughout your cloud journey—

data protection for physical, virtual & cloud

1 Cloud Security

Fitting Encryption into a VMware Ecosystem

Enterprise Key

Key Service

Console

Encryption

Solution


Physical

Database

Storage

Virtual

Web Server

Mail Server

Web

Server

Enterprise

Providers

Deep Security

Web

Access

Securing Workloads

Physical, Private, and Public Clouds

VM

VMware VirtualizationSecurity

Virtual Appliance

VM VM VM VM

• Agentless security

• Layered server security

• Encryption for vSphere

Private Cloud

• Agentless security


Security Virtual

ApplianceVM VM VM

Public Cloud

Server security console

• Shared policy profile

• Virtual patching

VM

VM VM VMVM

• Encryption for vCloud

• Compliance support

(FIM, Encryption, etc.)

Encryption console

• Shared policy profile

• Key ownership

• Agent-based security


• Encryption for leading cloud providers

• Compliance support

(FIM, Encryption, etc.)

VM

Virtualization and Cloud Security

One Security Model


Trend Micro Confidential-NDA Required

Extending to cloud scale

• Resource-pooling – independent tenant policies/data forshared, multi-tenant clouds

• Elasticity – Automated deployment of components to cloud scale

• Self-service – Policies can be delegated by cloud admin to tenantsthrough self-service GUI

Same architecture can be deployed as security-as-a-service by IaaSpublic cloud providers, or within enterprise ITaaS for private clouds.

―Cloud Workloads Security‖ as a Service

Support for Multi-Tenant clouds

5/13/2013 31Copyright 2013 Trend Micro Inc.


Leading Industry Success Stories

Trend Micro

Worldwide Endpoint Security

Revenue Share by Vendor, 2010

Source: IDC, 2011

Trend Micro

Source: 2011 Technavio – Global Virtualization

Security Management Solutions

Source: 2012 Technavio – Global

Cloud Security Software Market

Trend Micro is No.1 in Server, Virtualization, & Cloud Security

Why is Trend Micro an Expert?

#1 in Cloud Security

#1 in Virtualization

Security

#1 in Server

Security

Trend Micro

Trend Micro



One Security Model is Possible

• Reduce Your Cost of Operations

• Reduce Your Investment in Management

• Increase Application Stability and Performance

• Achieve Compliance in Virtual and Cloud Environments

• Get Higher Virtualization and Cloud ROI

• Safely Use Private, Public, and Hybrid Clouds


Copyright 2013 Trend Micro Inc.

www.cloudjourney.com

Technology

CW13 Securing Your Journey to the Cloud by Rami Naccache