Download - How Secure is Your Private Cloud?
HOW SECURE IS YOUR PRIVATE CLOUD?Peter BuryEnterpr ise Technology Specia l is t In te l Secur i ty
27 September 2016
Have a question for the speaker? Text
it in using the Ask A Question button!
Audio is streamed over your computer
Technical issues? Click the ? button
Use the Feedback button to share your
feedback about today’s event
Questions or suggestions about our
webinar series? Visit support.isaca.org
Use the Attachments button to
find the following:
PDF of today’s presentation
Link to the Event Home Page where
ISACA members can find the CPE Quiz
MORE information about upcoming
CSX events
MORE assets from today’s webcast
WELCOME
2
[Your Full Name]
[Your Title]
[Your Company Name]
TODAY’S SPEAKER
Peter Bury
Enterprise Technology Specialist
Intel Security
3
AGENDA
• Which style of Cloud is right for you?
• What does a Private Cloud look like?
• Workload Security
• Infrastructure Security
4
THE DATA CENTER IS TRANSFORMING
200%Public Cloud Services spending to double from 2015 to 20201
40%of data will be stored or processed by the cloud by 20202
54%CAGR of SDN* and NFV** investments by 20204
78%of workloads will be processed in cloud by 20183
1
0
0
1
1
0
0
1
1
1
0
0
0
1
0
1
1
0
1
1
0
0
0
1
0
0
1
1
0
1
$
*Software-Defined Network**Network Function Virtualization
5
Va
lue a
nd
Co
mp
lexity
Physical
Datacenter
Virtual
Datacenter
Private
Cloud
PaaS
IaaS
SaaS
6
Are you currently running a cloud transformation project where you need to decide between using private or public cloud?
A. Yes
B. No, not currently, but have in the past
C. No, never
POLLING QUESTION 1
7
Public to Private
• UK Telco - £450,000/month on public cloud services
• UK Media Group - £250,000/month on public cloud services
TRANSFORM
8
WHY CLOUD?
Physical to Public
WHY CLOUD?
• EMEA Governmental Cloud First Strategies
• Highly Automated - Running across multiple providers (AWS, Azure, Oracle, SoftLink)
• Aim to be 100% Public Cloud
• Security is still an issue, but believed to be doable
TRANSFORM
9
Physical
Datacenter
Virtual
DatacenterPrivate
Cloud
Public
Cloud
Security
Complexity / Defense
in Depth
Visibility
Speed
Dynamic
Environment
Increased Complexity
Technology Silos
Automation
Rely on provider SLAs
Shadow IT
Maintaining Inventory
No Source of Truth
Access &
Authentication
Shared Infrastructure
Demonstrable
Security
10
RESULTING CHALLENGES
10
UNDERSTANDING SHARED RESPONSIBILITY
Application Platform, Identity and Access Management
Customer Data
Provider Global Infrastructure(Regions, Availability Zones, Edge Locations)
Storage
Operating System, Network and Firewall Configuration
Client side Data Encryption,
Data Integrity Authentication
Server-side Encryption(File System and/or data)
Network Traffic Protection (Encryption/Integrity/Identity)
Compute NetworkingDatabase
Customer(Responsible for
security ‘in’ the
cloud)
IaaS
Provider(Responsible for
security ‘of’ the
cloud)
PaaS
Provider
SaaS
Provider
11
Have security concerns ever hampered a cloud project in your organization?
A. Yes, security concerns stopped our cloud project
B. Yes, security concerns altered our preferred architecture
C. Yes, security concerns slowed down the project and drove up costs
D. No, we dealt with security concerns as part of the project
E. No, we ignored security concerns and went ahead
POLLING QUESTION 2
12
BEFORE YOU CAN FIND A NEEDLE IN A HAYSTACK …YOU NEED TO BUILD A HAYSTACK
13
Physical
Datacenter
Virtual
Datacenter
Private
Cloud
Public
Cloud
CONSISTENT VISIBILITY
CONSISTENT MANAGEMENT
CONSISTENT POLICY
CONSISTENT THREAT INTELLIGENCE
1
4
A STRATEGY FOR HYBRID DATACENTER
14
What does a Private Cloud look like?
#1 PHYSICAL DATACENTER
INFRASTRUCTURE
COMPUTE COMPUTE COMPUTECOMPUTECOMPUTE
Management Management Management
Network, Compute,
Security, Storage, etc
Compute, Security
Network, Security
16
#2 VIRTUAL DATACENTER
Network & ACLs
COMPUTE COMPUTE COMPUTECOMPUTECOMPUTE
Virtual Switch Virtual Switch
PNIC PNIC
DR and Consolidation
Split Domain
Static
Many people stop here
Management Management Management Management
17
#3 PRIVATE CLOUD
INFRASTRUCTURE
COMPUTE COMPUTE COMPUTECOMPUTECOMPUTE
Management Management Management
SDx Platform:
Virtualization
Compute
Network
Security
Providing:
Automation
Scalability
Extensibility
Service Portal
Automation & Orchestration
Management
18
Cloud Workload Security
IaaSDiscovery & Monitoring
Cloud Connectors
Platform Enabled
Protection
AV
Virtual IPS
Augmented with ServerProtection
App/Change Control
EDR
App/Content Security
Sec forDatabases
Sec for SharePoint
Sec for Storage
BLUEPRINT FOR A SECURE CLOUD AND HYBRID DATACENTER
Security Management
Compute Network Storage
Physical DC + Virtual DC + Public Cloud
= Hybrid Data Center
Databases Web AppsEnterprise
Apps
Intelligence Sharing
20
SOFTWARE-DEFINED DATA CENTER (SDDC) SECURITY FUNCTIONAL REQUIREMENTS
CAN WE DELIVER SECURITY THROUGH INFRASTRUCTURE?
East / West
Traffic
Security inspection
within the perimeter
AND the hypervisor
Workload migration
Widely distributed inspection capability
New workload
protection
Inspect new
workload traffic
immediately
Integrate with
SDDC Security
Security doesn’t
impact performance
and availability
21
Security
Management
Finance
Security
Group
HR
Security
Group
Production
Security
Group
DMZ
APP
DB
Services
IN-DEPTH PROTECTION FOR EAST-WEST TRAFFIC FLOWS IN VMWARE ENVIRONMENTS
Perimeter
firewall
distributed
firewall
Open Security
Controller
Security
Functions
Catalog
McAfee Network
Security Manager
vNSP
vNSP
vNSP
vNSP
vNSP
vNSP
N
S
X
22
ON THE WORKLOAD: AV OPTIMIZED FOR THE PRIVATE CLOUD
McAfee ePO
Data Center
VMware vSphere
VMware NSX or vShield Endpoint
VM
VMtools
VM
VMtools
MOVESVM
Virtual Infrastructure
VMMOVE
VMMOVE
Virtual Infrastructure
VMMOVE
VMMOVE
VMMOVE
Virtual Infrastructure
VMMOVE
NSX/vShield
Manager
VMware vSphere
VMware NSX or vShield Endpoint
VM
VMtools
VM
VMtools
MOVESVM
Agentless
• An SVM protects all the VMs on its hypervisor
• ePO is tightly integrated with VMware NSX
23
ON THE WORKLOAD:AV OPTIMIZED FOR THE PRIVATE CLOUD
McAfee ePO
Data Center
VMware vSphere
VMware NSX or vShield Endpoint
VM
VMtools
VM
VMtools
MOVESVM
Virtual Infrastructure
VMMOVE
VMMOVE
MOVESVM
Virtual Infrastructure
VMMOVE
VMMOVE
VMMOVE
Virtual Infrastructure
VMMOVE
MOVESVM
MOVE
SVA
Manager
NSX/vShield
Manager
VMware vSphere
VMware NSX or vShield Endpoint
VM
VMtools
VM
VMtools
MOVESVM
Multi-platform
• An SVM can protect 200-400 VMs
• SVA Manager acts as a Load Balancer & provisions SVMs elastically
Agentless
• An SVM protects all the VMs on its hypervisor
• ePO is tightly integrated with VMware NSX
24
CONFIGURE POLICY WITH INFRASTRUCTURE SECURITY GROUPS
Select elements to
uniquely identify
application workloads
Use attributes to create
Security Groups
Apply policies to
security groups
1 2 3
ABCDEF
GroupXYZ
App 1
OS: Windows 8
TAG: “Production”
Enforce policy based on logical constructs
Reduce configuration errors
Policy follows VM, not IP
Reduce rule sprawl and complexity
Use security groups to abstract policy from
application workloads.
GroupXYZ
Policy 1“IPS for Desktops”“FW for Desktops”
Policy 2“AV for Production”“FW for Production”
Element type
Static Dynamic
Data center
Virtual net
Virtual machine
vNIC
VM name
OS type
User ID
Security tag
25
AUTOMATE SECURITY OPERATIONS
ACTION (then)ATTRIBUTE (if)
Virus found
IIS.EXEVulnerability found (old software version)
“PCI”
Sensitive Data Found
Allow & Encrypt*
Restrict access
while investigating
OR
Automated detection of security
conditions
(virus, vulnerability, etc.)
Security policies define
automated actions
Security operations are automated and adapt to
dynamic conditions
Monitor VMwith IPS
Quarantine VM with Firewall
26
HYBRID DATACENTER SOLUTIONS
EFFICIENCYEFFECTIVENESS AGILITY SPEED
Single platform to meet cloud
compliance and cyber
security requirements for all
cloud operating models
Leveraging the same
security platform for
all cloud operating
models reduces
training requirements
and simplifies audit
reporting
DXL provides
capability to easily add
new control points
Leveraging the same
security platform for
all cloud operating
models decreases
Time to Value
27
Questions?
www.intelsecurity.com/privatecloudsecurity
THANK YOU FOR
ATTENDING THIS
WEBINAR
For more information, visit www.ISACA.org
THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.
Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).