Security Models for CloudKurtis E. Minder, CISSP1Saturday, December 4, 2010IntroductionKurtis E. Minder, Technical Sales Professional Companies: Roles: • Security Design Engineer • Systems Engineer • Sales Engineer • Salesperson • Business Development • Global Account Manager Actual work: • Installation / Configuration • Design • Support • Product development / POC • Audit • Penetration testing • Sales / BD 2Saturday, December 4, 2010CISSP CertificationAccess ControlApplication SecurityBusiness Continuity and Disaster Recovery PlanningCryptographyInformation Security and Risk ManagementLegal, Regulations, Compliance and InvestigationsOperations SecurityPhysical (Environmental) Security CISSPSecurity Architecture and DesignThe CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.3Saturday, December 4, 2010IntroductionsSecurity ConsolidationCloud Security ModelsCloud SecuritySecurity for Cloud AppsWho Pays this Guy?Q&AAgenda4Saturday, December 4, 2010Consolidate, they said.GartnerIDCFrost & SullivanPoint of Failure, Multiple Consoles, Troubleshooting Difficulty, Licensing 5Saturday, December 4, 2010Unified Threat ManagementFortinet Maintains the LeadCisco and Juniper FollowWhy UTM?Consolidated ApproachEconomic BenefitsArchitectural BenefitsSecurity Benefits (Best of breed not best after all?) U T M<-- Not Rhetorical6Saturday, December 4, 2010Case Study - UTMMassive OrganizationToo Many Internet ConnectionsToo Many Devices Too Many VendorsToo Many Management ConsolesCarrier Partner Delivers ConnectivityHosted Security in Wiring CenterMutlitenantMulti-discipline (UTM)Customer Portal Interface7Saturday, December 4, 2010M S SManaged Security Services, Why?Operational BenefitsNo Capital ExpenditureDisplaced Accountability “Pure play” vs. Bundled Services / Utility ModelCloud vs. CPE8Saturday, December 4, 2010CloudCloud Security, what does that mean?“Clean Pipe” or Security Services as a UtilityShared Services Model (Multi-tenancy)Integrating with the carrier backboneCloud ComputingSAAS, IAAS, PAAS need Security!How to provision? Is it VM? Is it appliance?9Saturday, December 4, 2010Cloud Security ExampleMPLSInternetData CenterCustomerACustomerBCustomer C Office 1CustomerCOffice 2VLANVLAN VLAN VLANVDOMVDOM VDOM VDOM10Saturday, December 4, 2010Cloud Security / Clean PipeVPLS ID MPLS NETWORK VLAN ID VDOM Private Network 11Saturday, December 4, 2010Cloud Computing OfferingsInfrastructure as a Service (Somtimes Hardware as a Service HAAS)Outsourcing of equipment to SP - Examples are Storage, Processing, “Elastic Computing”Platform as a ServiceOutsourcing of the computing platform to SP - Allows for custom development and flexibility (OS or web platform delivered as a service)Software as a ServiceComplete application outsourced (WP, SF.com, etc.)12Saturday, December 4, 2010Securing Cloud ApplicationsMost cloud applications are virtualizedHypervisor is a fundemental componentHypervisor is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual mahines) cannot disrupt each other. *Three primary methods of securing cloud appsExtra-HypervisorIntra-HypervisorHost*thanks techtarget13Saturday, December 4, 2010Extra-Hypervisor SecurityOutside the VM platformTypically an appliance Pros: Fast / MatureCons: Lack of Visibility into VM spaceSecurity ApplianceSecurity ApplianceVMVMVMVMVMVMVSWITCHVSWITCHHYPERVISOR14Saturday, December 4, 2010Intra-Hypervisor SecurityVM basedTypically leverages API for integration with the hypervisorPros: Visibility to intra-VM communicationCons: Takes CPU from VM executionVMVSWITCHHYPERVISORVMVMVMVSWITCHVMVMVMVMSecurity VMSecurity VM15Saturday, December 4, 2010The VM Security ProblemVSwitch is not a switchVMWare has retracted some API optionsHigh Availability is more complicatedTakes Resources from VM application operationsEasy to create new applications!16Saturday, December 4, 2010Protected ProvisioningVM security element is dynamically created based on policy.Application templates are pre-definedUTM Policy templates are pre-definedMail Server -> FW VM, IDP, AntiSpamWeb Server -> FW VM, WAF <- Automatic VA17Saturday, December 4, 2010The WormholeMany security products have built in virtualizationWhat happens when you virtualize them?Cool Stuff, welcome to the matrix.RootWebSecurityVDOMMailSecurityVDOMSAPSecurity VDOMWebServerVMMail ServerVMSAPServerVMSecurity VMHypervisor18Saturday, December 4, 2010Combined ArchitectureInternet VswitchIntranet Vswitch Vswitch Vswitch VswitchSecurity VMWithVirtualizationWeb Servers DB Servers Mail ServersCollaborationServersNICNICSecurity ApplianceSecurity ApplianceNetworkHypervisorVM KernelMGMT19Saturday, December 4, 2010ConcludingUnified Threat Management / Consolidation a pervasive and persistent trend Managed Services / Utility and Cloud Security offers a viable alternative to self managedEvolution of physical to virtual driving security architecture in new directionsPolicy and Process must be automated to ensure proper compliance and protection for virtual assets20Saturday, December 4, 2010I Work @ FTNTFounded in 2000Nasdaq Listed FTNT~1300 EmployeesOver 600k units shippedOver 100k customers10 Years!21Saturday, December 4, 2010Thank You!Questions?22Saturday, December 4,
View Full Document
Unlocking...