![Enterprise Risks & Security Interests
Risk Enterprise Provider
Insecure, Porous APIs Major Risk Man in the middle, content threats, code injection, DoS attacks
Don’t care. API security converges along with market price
Logical Multi-Tenancy Unknown Risk Virtual machine attacks, malicious code, comingled data
Don’t care. Security of the multi-tenant architecture is a problem for [Insert Hypervisor Vendor
Name] to solve. Oh, and trust us that your data is separate from your neighbor
Data Protection and Major Risk Reduced confidentiality for private data stored in the clear at the cloud provider
Leakage
Opposite incentive. Clear text data allows me to provide increased functions based on search
Data Loss and Reliability Major Risk Unavailability or loss of critical enterprise data
Care a little. Infrastructure reliability is guaranteed according to my SLA, plus you get a refund if
we mess up ☺
Audit and Monitoring Major Risk Rogue uses of cloud services in Enterprise
Care a little. I will provide basic monitoring of infrastructure but the rest is up to you
Cloud Provider Insider Unknown Risk Mismatched security practices at CSP creates a weak link for attackers
Threats
Don’t care. We are secure enough. Just trust us.
Account Hacking, Access Major Risk Coarse access control at CSP increases the value of a stolen account
Control, and Authorization
Care a little. AAA mechanisms must be good enough to support my SaaS app. It’s your job to
map to our way of handling identities.](https://image.slidesharecdn.com/7364billyblakepresentation-100609093029-phpapp02/85/Projecting-Enterprise-Security-Requirements-on-the-Cloud-6-320.jpg)
Projecting Enterprise Security Requirements on the Cloud
- 1. Projecting Enterprise Security Requirements on the Cloud Case Study- Cloud Presented by: Billy Cox– Director Cloud Computing Strategy, Intel Blake Dournaee– Product Manager & Author- SOA Demystified, Intel
- 2. Topic Agenda • Enterprise Risk Factors & Criteria • What can Enterpise Control Enterprise Requirements • Emerging Standards & Models • What Can be Done Today • Summary of Intel Cloud Capabilities
- 3. Potential Risk- Illustrated Amazon Ec2 Keys to the Castle Basic Auth Enterprise Credentials Compromised For Access Enterprise VM Images
- 4. Potential Risk- Illustrated Amazon Ec2 Rogue Image Trojan Injected Amongst Enterprise VMs
- 5. Potential Risk- Illustrated Virus replayed back in Enterprise Amazon Ec2 Data sent and lost to unknown source
- 6. Enterprise Risks & Security Interests Risk Enterprise Provider Insecure, Porous APIs Major Risk Man in the middle, content threats, code injection, DoS attacks Don’t care. API security converges along with market price Logical Multi-Tenancy Unknown Risk Virtual machine attacks, malicious code, comingled data Don’t care. Security of the multi-tenant architecture is a problem for [Insert Hypervisor Vendor Name] to solve. Oh, and trust us that your data is separate from your neighbor Data Protection and Major Risk Reduced confidentiality for private data stored in the clear at the cloud provider Leakage Opposite incentive. Clear text data allows me to provide increased functions based on search Data Loss and Reliability Major Risk Unavailability or loss of critical enterprise data Care a little. Infrastructure reliability is guaranteed according to my SLA, plus you get a refund if we mess up ☺ Audit and Monitoring Major Risk Rogue uses of cloud services in Enterprise Care a little. I will provide basic monitoring of infrastructure but the rest is up to you Cloud Provider Insider Unknown Risk Mismatched security practices at CSP creates a weak link for attackers Threats Don’t care. We are secure enough. Just trust us. Account Hacking, Access Major Risk Coarse access control at CSP increases the value of a stolen account Control, and Authorization Care a little. AAA mechanisms must be good enough to support my SaaS app. It’s your job to map to our way of handling identities.
- 7. Where does Control Lie? Provider Enterprise Four of the seven risks are directly under the enterprise control • Insecure, Porous APIs • Data Protection and Leakage • Audit and Monitoring • Account Hacking, Access Control, and Authorization Short of a boycott, the remaining 3 are largely out of control… • Logical Multi-Tenancy • Data Loss and Reliability • Cloud Provider Insider Threats
- 10. Cloud - Eucalyptus Cloud Client Customer (consumer) Network Lab Infrastructure Eucalyptus Cloud Bulk Storage Infrastructure iSCSI Walrus Caching Router Cloud Storage Storage Proxy Controller Service Server Cluster block storage and compute Block Block Power managers Cluster Storage Cluster Storage Controller Power Controller Controller Controller Manager Management Node Node Controller Controller Node Node Controller Controller KA3 Node Node Controller Controller Node Node Controller Compute Clusters Controller Node Node Controller Controller
- 11. Slide 10 KA3 Fix box titles Kelly Anderson, 21/05/2010
- 12. Basic Model Cloud Provider Web Service Request UDDI or Resource Enterprise Credentials & Policies User User Credentials & Policies IdM Security Profile Internal IdM • Authentication token • Customer access control policies • Customer data protection policies
- 13. Cloud Access through a Broker Cloud Service Cloud Broker Provider Broker Token Web UDDI or Service UDDI or Resource Resource Enterprise Request Credentials Broker & Policies Credentials User Broker User & Policies Credentials Credentials & Policies & Policies IdM Security Security Profile Profile Internal IdM Internal IdM External IdM
- 14. #1 – Broker as Management Entry Point Cloud Provider Cloud Mgr Cloud Site 1 Enterprise Consumer Request Service Gateway Cloud Site 2 IdM Identity Reference Cloud Site 3 • Entry point for cloud management (not data, only mgmt) • Single point of entry and validation for all sites and Cloud Consumers • Consistent credentials validation
- 15. #2 –Broker as Outbound PEP Dynamic Enterprise Perimeter Consumer Private Cloud Cloud Provider 1 User User Cloud Provider 2 User UDDI or Resource • Cloud customer accesses multiple clouds • Internal users don’t want to see that complexity • Broker directs based in policy and converts protocols as necessary • Secures provider access credentials
- 16. Public Cloud & SaaS
- 17. Private Cloud Virtual Gateway Usage Model Private 3. SOAP, REST or JSON SAML Response Cloud 1 Enterprise Service Virtualization 2. Virtualize, Load Balance, Firewall, Generate SAML Token Portal & CRM App Partner Private Cloud 2 IdM , Active API & Token Broker Directory, ABAC 1. User AuthN/Auth- SOAP/REST, Kerberos, Basic Auth, Siteminder, X.509 Dynamic Enterprise Perimeter In VPDC, Service Gateway protects access to Services, maps credentials, enforces ABAC, brokers protocols & formats
- 18. CloudBurst Security Using Virtual Gateway 3. Local Authentication 4. Mapped to an AWS Credential in Request for Resource 2. Locate Resource(s) Amazon EC2 Enterprise Storage Public Cloud Private IdM or Cloud Active Directory UDDI or API & HSM Resource Force.com Apps Portal or Web Public Cloud Dynamic Service Enterprise Perimeter 5. Generate SAML Request with Request for Resource to Force 1. Request with Credentials to Access a Resource Manage, secure, hide Cloud brokering complexity. Convert formats. Provide access control
- 19. More Information on Intel SOA Expressway & Cloud w er brings ne T his Intel pap ud Security detail to Clo t practices” Alliance bes vis – Jim Rea irector, Executive D ty Alliance Cloud Securi www.dynamicperimeter.com
- 20. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.