Presentation cisco cloud security

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Jean-François Pujol
Cisco Systems
Cloud Security

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 2© 2008 Cisco Systems, Inc. All rights reserved. Cisco SystemsPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community
Cloud
Quick reminder :
Cloud Deployment Model
Public Cloud
Cloud infrastructure made available to the
general public.
Private Cloud
Cloud infrastructure operated solely for an
organization.
Virtual Private
Cloud
Cloud services that simulate the private
cloud experience in public cloud
infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or
more clouds that interoperate or federate
through technology
Community
Cloud
Cloud infrastructure shared by several
organizations and supporting a specific
community
NIST
Deployment
Models

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Systems 3
Public vs. Private Cloud Security
While the technology basement remains the same, we
may consider two different approaches to the problem :
  Public Cloud :
– Delegation versus Trust
  Private Cloud :
– Abstraction / Virtualization versus Complexity

Considerations about the
Public Cloud Security

The New World : Shifting Borders
IT Consumerization
Device
Border
Mobile
Worker
Location
Border
Internal Applications
IaaS,SaaS
Application As A Service
Application
Border

The (not so) New World : Location Border
Mobile
Worker
Location
Border

Traditional Corporate Border
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers

Now with Mobile Users and VPNs
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User

With Mobile Users when
not protected by VPNs…
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User

The New World : Application Border
IaaS,SaaS
Application As A Service
Application
Border

...Everything is Cloud
The Consumer’s View of Cloud

These Cloudy Days …
  Internet is reliable
  Cloud services are well known in the consumer market,
and the consumer market creates some pressure in the
enterprise world.
  Is LinkedIn a consumer/personal or business service ?
  Enterprises are turning every single task into a process.
It creates a strong traction for adopting services (OPEX
vs CAPEX)

Organizations don’t have even the
choice …

choice …

First security concern
  Enterprises are using unmanaged cloud services today
– in a more or less control way
  On public and (almost) free consumer platforms :
– No real control over the corporate image
– Risks of information leakage
– Risks of misleading
– Risks of Social Engineering attacks

Global trend for outsourcing
  Every business process is analyzed :
– Down to a single application
– Down to any individual
  If you can define it, measure it, and it is not a core
business activity, you want to outsource it

Can you afford to manage the risk ?
Imagine you have :
  A couple of consultants
  Employees under temporary contract
  A complete department is outsourced (Dev, Marketing,
etc…)
  Datacenter exploitation is outsourced
  Networks, servers, premises, and people are
outsourced
  Cloud based services

Key to Broader Adoption of Cloud: Trust
Before the Economics of Cloud Computing Can be Considered,
Organizations Require a Trusted Service Infrastructure
Security Control
Service-Level
Management
Compliance

Enterprise Deployment Models
Distinguishing between Ownership and Control
Ownership
Control
Internal Resources
All cloud
resources
owned by or
dedicated to
enterprise
External Resources
All cloud
resources owned
by providers;
used by many
customers
Private Cloud
Cloud definition/
governance
controlled by
enterprise
Public Cloud
Cloud definition/
governance
controlled by
provider

Data
App
VM
Server
Storage
Network
Dedicated IT
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Data
App
VM
Server
Storage
Network
Hosting Provider Public Iaas Public Paas Public Saas
Organization shares control
with service providerOrganization has control Service provider has control
Control and Trust evolve with cloud

What This Means To Security
Amazon EC2 - IaaS
The lower down the stack the Cloud provider
stops, the more security you are tactically
responsible for implementing & managing
yourself.
Salesforce - SaaS
Google AppEngine - PaaS

The Cloud Security Alliance’s 13 Critical Areas Of Focus for Cloud:
1. Architecture & Framework
Governing the Cloud Operating the Cloud
2. Governance & Risk Mgmt 8. Traditional BCM, DR
3. Legal & Electronic Discovery 9. Datacenter Operations
5. Compliance & Audit 10. Incident Response
6. Information Lifecycle Mgmt 11. Application Security
7. Portability & Interoperability 12. Encryption & Key Mgmt
13. Identity & Access Mgmt
www.cloudsecurityalliance.org
Cloud Security Alliance - Guidance

The Cloud Security Alliance’s Top Threats to Cloud Computing V1.0 :
www.cloudsecurityalliance.org
Cloud Security Alliance
Top Threats to Cloud Computing
1. Abuse and Nefarious Use of Cloud
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology
5. Data Loss or
6. Account or Service Hijacking
7. Unknown Risk Profile

Some important factors to consider
for the service
 Single Tenancy / Multi-tenancy
 Isolated Data / Co-mingled Data
 Dedicated Security / Socialist Security
 On-premise / Off-premise

CloudAudit & the A6 Deliverable
 Provide a common interface
and namespace that allows
cloud computing providers to
automate the Audit, Assertion,
Assessment, and Assurance
(A6) of their environments
 Allow authorized consumers of
services to do likewise via an
open, extensible and secure
interface and methodology.
http://www.cloudaudit.org

That is the question …
 May your private organization be potentially
more secure than a public cloud service ?
 (and/or cheaper …)

Saleforce.com
82 000 + customers …

Could you Trust Force.com ?

Force.com Security Literature

Security recommendations
  1# educate your users
  2# Identify your primary security contact
  3# Secure Employee Systems
  4# Implement IP restrictions
  5# strengthen password policies
  6# require secure sessions
  7# Decrease session timeout value
Reference: http://wiki.developerforce.com/index.php/
An_Overview_of_Force.com_SecuritySecurity
Webinar : https://salesforce.acrobat.com/securitywebinar

The New World : Device Borders
IT Consumerization
Device
BorderInternal Applications
Are they still corporate assets ?

Desktop Virtualization is part of the
Security Journey

Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Coffee
Shop
Customers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a Service
X
as a Service
Software
as a Service
Concern: Security in a Cloud World

Branch
Office
Corporate
Office
Home
Office
SaaS Access Control
Regaining Visibility and Control Through Identity
SAML-
basedAnyConnect
Secure
Mobility Client
Visibility | Centralized Enforcement | Single Source Revocation
Redirect @ Login
SaaS
Single
Sign On
Web
Security
Appliance
Directory

AnyConnect Secure Mobility Vision
On-Premise Gateway or Cloud Policy Enforcement
Cisco
Cisco
Web Security Appliance
ASA
The image cannot be
displayed. Your
computer may not have
enough memory to open
the image, or the image
may have been
corrupted. Restart your
computer, and then
open the ﬁle again. If
the red x still appears,
you may have to delete
the image and then
insert it again.
Social Networking
Enterprise SaaS
News
EmailIntegration
of ScanSafe’s client
ON-PREMISE
AnyConnect

Mobile Users and Secured Cloud Access
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User
Enterprise SaaS

Non Secured Users Should Be Filtered
Out
Corporate Border
Branch Office
Applications
and Data
Corporate Office
Policy
Attackers
Home Office
Mobile
User
Enterprise SaaS

Public Services Access Can Be
Filtered Out
https://na1.salesforce.com/help/doc/en/salesforce_security_impl_guide.pdf

Considerations about the
Private Cloud Security

Trusted
Controlled
Reliable
Secure
CLOSED
First days of a Private Cloud
Anchored on Trust & Control

Highly Virtualized
Data Centers and
Cloud Computing
Trusted
Controlled
Reliable
Secure
Flexible
Dynamic
On-demand
Efficient
Cloud Computing
Targeting Agility and Efficiency

Virtualization & Cloud Driving New
Requirements in Data Center
VDC-1
VDC-2
Hypervisor
App
OS
App
OS
App
OS
Dedicated
Network
Services
Firewall SLB/ADC WAN Opt
Virtual Service Nodes (VSNs)
• Virtual appliance form factor
• Dynamic Instantiation/Provisioning
• Service transparent to VM mobility
• Support scale-out
• Large scale multi-tenant operation
• Application-specific
services
• Form factors:
•  Appliance
•  Switch module
Virtual Network Services

Fully Inter-connected Network Services
Vision
ASA

SIA
Nexus 1000V
SIA
Inter-connected
services across
physical and virtual
environments
SIA: Service Insertion Architecture
VSN
vPath
SIA
SIA
Distribution Layer
Services
Virtual Network
Services
VSN

Data Center Security Challenges
  Virtualization
  Applications
  Data Loss
  Compliance
  Availability

Cloud-Specific Issues Emerging
 Organizational & Operational Misalignment
 Monoculture of Operating Systems, Virtualized
Components & Platforms
 Privacy Of Data/Metadata, Exfiltration and
Leakage
 Inability to Deploy Compensating or Detective
Controls
 Segmentation & Isolation In Multi-tenant
environments...

Cloud Happiness
  Centralized Data (sort of...)
  Segmented data/applications
  Better Logging/Accountability
  Standardized images for asset deployment
  Better Resilience to attack & streamlined incident
response
  More streamlined Audit and Compliance
  Better visibility to process
  Faster deployment of applications, services, etc.
The Cloud can provide the following security benefits:

Key Takeaways

Key Takeaways
(From A Customer’s Perspective)
  Have a risk assessment methodology, classify assets and
data.
  Interrogate vendors and providers; use the same diligence that
you would for outsourced services today; focus on resilience/
recovery, SLA’s, confidentiality, privacy and segmentation.
  The challenge is to match business/security requirements
against the various *aaS model(s)
  Each of the *aaS models provides a delicate balance of
openness, flexibility, control, security and extensibility
  Regardless of the model, you are still responsible for some
element of security

References
  Cloud literature on Cisco.com
http://www.cisco.com/en/US/netsol/ns976/index.html
  Cloud Computing Google Groups:
  Cloud Computing
http://groups.google.com/group/cloud-computing
  Cloud Computing Interoperability Forum
http://groups.google.com/group/cloudforum
  Cloud Storage
http://groups.google.com/group/cloudstorage
  Attend a local
  Join the Cloud Security Alliance & CloudAudit...

Presentation cisco cloud security

More Related Content

What's hot (20)

Viewers also liked (11)

Similar to Presentation cisco cloud security (20)

More from xKinAnx (20)

Recently uploaded (20)

Presentation cisco cloud security